[CentOS] Linux malware attack

Wed Mar 19 18:31:58 UTC 2014
EGO.II-1 <eoconnor25 at gmail.com>

On 03/19/2014 02:21 PM, Johnny Hughes wrote:
> On 03/19/2014 12:39 PM, EGO.II-1 wrote:
>> On 03/19/2014 01:35 PM, Mike McCarthy wrote:
>>> Linux server attacks are nothing new. 14 years ago I was installing a
>>> server, Red Hat 7 I think, and in the hour or so after I installed it to
>>> the time I applied the patches it was infected with an Apache ssl trojan.
>>>
>>> Years ago I moved sshd off port 22, disabled password logins and use
>>> certificates after noticing my logs filling up with numerous daily
>>> attempts at hacking into sshd.
>>>
>>> Mike
>>>
>>> On 03/19/2014 12:11 PM, SilverTip257 wrote:
>>>> On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes <johnny at centos.org> wrote:
>>>>
>>>>> On 03/19/2014 08:50 AM, Timothy Murphy wrote:
>>>>>> SlashDot had an article today on a Linux server malware attack,
>>>>>> <
>>>>> http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers
>>>>>> .
>>>>>>
>>>>>> I wonder if there is a simple test to see if a CentOS machine
>>>>>> has been infected in this way?
>>>>>>
>>>>>> The article mentions Yara and Snort rules to test for this,
>>>>>> but I wonder if there is something simpler?
>>>>>> Alternatively, are there Yara or Snort packages for CentOS?
>>>>>> ("Yum search" didn't seem to find anything.)
>>>>>>
>>>>>>
>>>>>>
>>>>> Look at this PDF:
>>>>>
>>>>> http://bit.ly/1qCEQFi
>>>>>
>>>>>
>>>> The article I read, linked to a detection toolkit on GitHub.
>>>> https://github.com/eset/malware-ioc
>>>>
>>>> Read this:
>>>> https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc
>>>>
>>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> An even more compelling question: does this only affect servers? or will
>> it also infect desktops as well (running CEntOS as a desktop but have
>> never ssh'd anything from or to it...have a standard type of setup with
>> a wireless router connected to my DSL/cable line...)
> There really is no difference between server and desktop except the
> packages installed.  In this case, the if you have openssh-clients and
> openssh-server installed and external passwords logins activated, then
> yes, someone could have gained access.  If they did, they could have
> replaced parts of your RPMs with their own items.
>
> Everyone using any Linux should test for this.
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Thanks for this! I just checked and apparently (and thankfully!) I'm 
clean. Will be trying this out on my Ubuntu laptop as well.....awesome 
teamwork!! thanks again!!!


EGO II