On 03/19/2014 11:22 AM, Steve Clark wrote: > On 03/19/2014 12:11 PM, SilverTip257 wrote: >> On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes <johnny at centos.org> wrote: >> >>> On 03/19/2014 08:50 AM, Timothy Murphy wrote: >>>> SlashDot had an article today on a Linux server malware attack, >>>> < >>> http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers >>>> . >>>> >>>> I wonder if there is a simple test to see if a CentOS machine >>>> has been infected in this way? >>>> >>>> The article mentions Yara and Snort rules to test for this, >>>> but I wonder if there is something simpler? >>>> Alternatively, are there Yara or Snort packages for CentOS? >>>> ("Yum search" didn't seem to find anything.) >>>> >>>> >>>> >>> Look at this PDF: >>> >>> http://bit.ly/1qCEQFi >>> >>> >> The article I read, linked to a detection toolkit on GitHub. >> https://github.com/eset/malware-ioc >> >> Read this: >> https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc >> >> > I didn't see anything about how the machines got infected. Did I miss something? Linked PDF, Section 3.2 has a time line ... the bottom line is, people got root access via credentials and password logins. Once they got credentials, they put trojans on and got everyone's username and passwords. If you look at page 66 of the PDF, it tells you how to not get infected ... don't allow root logins and don't use passwords. Don't keep user's sever root passwords in a database, etc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20140319/a76b925d/attachment-0005.sig>