[CentOS] Linux malware attack

Wed Mar 19 18:21:43 UTC 2014
Johnny Hughes <johnny at centos.org>

On 03/19/2014 12:39 PM, EGO.II-1 wrote:
> On 03/19/2014 01:35 PM, Mike McCarthy wrote:
>> Linux server attacks are nothing new. 14 years ago I was installing a
>> server, Red Hat 7 I think, and in the hour or so after I installed it to
>> the time I applied the patches it was infected with an Apache ssl trojan.
>> Years ago I moved sshd off port 22, disabled password logins and use
>> certificates after noticing my logs filling up with numerous daily
>> attempts at hacking into sshd.
>> Mike
>> On 03/19/2014 12:11 PM, SilverTip257 wrote:
>>> On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes <johnny at centos.org> wrote:
>>>> On 03/19/2014 08:50 AM, Timothy Murphy wrote:
>>>>> SlashDot had an article today on a Linux server malware attack,
>>>>> <
>>>> http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers
>>>>> .
>>>>> I wonder if there is a simple test to see if a CentOS machine
>>>>> has been infected in this way?
>>>>> The article mentions Yara and Snort rules to test for this,
>>>>> but I wonder if there is something simpler?
>>>>> Alternatively, are there Yara or Snort packages for CentOS?
>>>>> ("Yum search" didn't seem to find anything.)
>>>> Look at this PDF:
>>>> http://bit.ly/1qCEQFi
>>> The article I read, linked to a detection toolkit on GitHub.
>>> https://github.com/eset/malware-ioc
>>> Read this:
>>> https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> An even more compelling question: does this only affect servers? or will 
> it also infect desktops as well (running CEntOS as a desktop but have 
> never ssh'd anything from or to it...have a standard type of setup with 
> a wireless router connected to my DSL/cable line...)

There really is no difference between server and desktop except the
packages installed.  In this case, the if you have openssh-clients and
openssh-server installed and external passwords logins activated, then
yes, someone could have gained access.  If they did, they could have
replaced parts of your RPMs with their own items.

Everyone using any Linux should test for this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140319/67b88633/attachment-0005.sig>