[CentOS] Linux malware attack

Wed Mar 19 18:50:54 UTC 2014
Ned Slider <ned at unixmail.co.uk>

On 19/03/14 18:31, EGO.II-1 wrote:
>
> On 03/19/2014 02:21 PM, Johnny Hughes wrote:
>> On 03/19/2014 12:39 PM, EGO.II-1 wrote:
>>> On 03/19/2014 01:35 PM, Mike McCarthy wrote:
>>>> Linux server attacks are nothing new. 14 years ago I was installing a
>>>> server, Red Hat 7 I think, and in the hour or so after I installed it to
>>>> the time I applied the patches it was infected with an Apache ssl trojan.
>>>>
>>>> Years ago I moved sshd off port 22, disabled password logins and use
>>>> certificates after noticing my logs filling up with numerous daily
>>>> attempts at hacking into sshd.
>>>>
>>>> Mike
>>>>
>>>> On 03/19/2014 12:11 PM, SilverTip257 wrote:
>>>>> On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes <johnny at centos.org> wrote:
>>>>>
>>>>>> On 03/19/2014 08:50 AM, Timothy Murphy wrote:
>>>>>>> SlashDot had an article today on a Linux server malware attack,
>>>>>>> <
>>>>>> http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers
>>>>>>> .
>>>>>>>
>>>>>>> I wonder if there is a simple test to see if a CentOS machine
>>>>>>> has been infected in this way?
>>>>>>>
>>>>>>> The article mentions Yara and Snort rules to test for this,
>>>>>>> but I wonder if there is something simpler?
>>>>>>> Alternatively, are there Yara or Snort packages for CentOS?
>>>>>>> ("Yum search" didn't seem to find anything.)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Look at this PDF:
>>>>>>
>>>>>> http://bit.ly/1qCEQFi
>>>>>>
>>>>>>
>>>>> The article I read, linked to a detection toolkit on GitHub.
>>>>> https://github.com/eset/malware-ioc
>>>>>
>>>>> Read this:
>>>>> https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc
>>>>>
>>>>>
>>> An even more compelling question: does this only affect servers? or will
>>> it also infect desktops as well (running CEntOS as a desktop but have
>>> never ssh'd anything from or to it...have a standard type of setup with
>>> a wireless router connected to my DSL/cable line...)
>> There really is no difference between server and desktop except the
>> packages installed.  In this case, the if you have openssh-clients and
>> openssh-server installed and external passwords logins activated, then
>> yes, someone could have gained access.  If they did, they could have
>> replaced parts of your RPMs with their own items.
>>
>> Everyone using any Linux should test for this.
>>
>>
> Thanks for this! I just checked and apparently (and thankfully!) I'm
> clean. Will be trying this out on my Ubuntu laptop as well.....awesome
> teamwork!! thanks again!!!
>
>

Just to add, I'm sure everyone has already read and implemented many of 
the suggestions here:

http://wiki.centos.org/HowTos/Network/SecuringSSH

Numbers 2 and 7 have already been highlighted in this thread.