On 03/19/2014 11:22 AM, Steve Clark wrote:
On 03/19/2014 12:11 PM, SilverTip257 wrote:
On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes johnny@centos.org wrote:
On 03/19/2014 08:50 AM, Timothy Murphy wrote:
SlashDot had an article today on a Linux server malware attack, <
http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-...
.
I wonder if there is a simple test to see if a CentOS machine has been infected in this way?
The article mentions Yara and Snort rules to test for this, but I wonder if there is something simpler? Alternatively, are there Yara or Snort packages for CentOS? ("Yum search" didn't seem to find anything.)
Look at this PDF:
The article I read, linked to a detection toolkit on GitHub. https://github.com/eset/malware-ioc
Read this: https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc
I didn't see anything about how the machines got infected. Did I miss something?
Linked PDF, Section 3.2 has a time line ... the bottom line is, people got root access via credentials and password logins.
Once they got credentials, they put trojans on and got everyone's username and passwords.
If you look at page 66 of the PDF, it tells you how to not get infected ... don't allow root logins and don't use passwords.
Don't keep user's sever root passwords in a database, etc.
Johnny Hughes wrote:
If you look at page 66 of the PDF, it tells you how to not get infected ... don't allow root logins and don't use passwords.
Thanks very much for your prompt response.
I was slightly surprised to see that PermitRootLogin seems to be set to Yes by default on CentOS (and also on Fedora).
I'm very ignorant of these matters, but what advantage does this give? Can't I get to the same place by ssh-ing into the remote machine, and then su-ing there?
On Thu, Mar 20, 2014 at 8:43 AM, Timothy Murphy gayleard@eircom.net wrote:
Johnny Hughes wrote:
If you look at page 66 of the PDF, it tells you how to not get infected ... don't allow root logins and don't use passwords.
Thanks very much for your prompt response.
I was slightly surprised to see that PermitRootLogin seems to be set to Yes by default on CentOS (and also on Fedora).
I don't look at PermitRootLogin being yes by default as being a bad thing. Securing SSH doesn't stop at just its configuration.
Initially "root" is the online account on a Linux machine. It's up to the sysadmin to create another account [and further secure] the host.
This brings up other aspect of securing user accounts: 1) strong/somewhat random passwords (especially for root user) 2) firewall rules that only permit select hosts from accessing SSH (or other services)
And then there's password aging.
I'm very ignorant of these matters, but what advantage does this give? Can't I get to the same place by ssh-ing into the remote machine, and then su-ing there?
"root" is an easy username to guess ... and will exist on most Linux systems
There will likely not be a "tmurphy" or "gayleard" on most Linux hosts, so that account is less likely to be brute forced.
-- Timothy Murphy e-mail: gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin 2, Ireland
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Johnny Hughes -
SilverTip257 -
Timothy Murphy