On 19/03/14 18:31, EGO.II-1 wrote: > > On 03/19/2014 02:21 PM, Johnny Hughes wrote: >> On 03/19/2014 12:39 PM, EGO.II-1 wrote: >>> On 03/19/2014 01:35 PM, Mike McCarthy wrote: >>>> Linux server attacks are nothing new. 14 years ago I was installing a >>>> server, Red Hat 7 I think, and in the hour or so after I installed it to >>>> the time I applied the patches it was infected with an Apache ssl trojan. >>>> >>>> Years ago I moved sshd off port 22, disabled password logins and use >>>> certificates after noticing my logs filling up with numerous daily >>>> attempts at hacking into sshd. >>>> >>>> Mike >>>> >>>> On 03/19/2014 12:11 PM, SilverTip257 wrote: >>>>> On Wed, Mar 19, 2014 at 10:01 AM, Johnny Hughes <johnny at centos.org> wrote: >>>>> >>>>>> On 03/19/2014 08:50 AM, Timothy Murphy wrote: >>>>>>> SlashDot had an article today on a Linux server malware attack, >>>>>>> < >>>>>> http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers >>>>>>> . >>>>>>> >>>>>>> I wonder if there is a simple test to see if a CentOS machine >>>>>>> has been infected in this way? >>>>>>> >>>>>>> The article mentions Yara and Snort rules to test for this, >>>>>>> but I wonder if there is something simpler? >>>>>>> Alternatively, are there Yara or Snort packages for CentOS? >>>>>>> ("Yum search" didn't seem to find anything.) >>>>>>> >>>>>>> >>>>>>> >>>>>> Look at this PDF: >>>>>> >>>>>> http://bit.ly/1qCEQFi >>>>>> >>>>>> >>>>> The article I read, linked to a detection toolkit on GitHub. >>>>> https://github.com/eset/malware-ioc >>>>> >>>>> Read this: >>>>> https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc >>>>> >>>>> >>> An even more compelling question: does this only affect servers? or will >>> it also infect desktops as well (running CEntOS as a desktop but have >>> never ssh'd anything from or to it...have a standard type of setup with >>> a wireless router connected to my DSL/cable line...) >> There really is no difference between server and desktop except the >> packages installed. In this case, the if you have openssh-clients and >> openssh-server installed and external passwords logins activated, then >> yes, someone could have gained access. If they did, they could have >> replaced parts of your RPMs with their own items. >> >> Everyone using any Linux should test for this. >> >> > Thanks for this! I just checked and apparently (and thankfully!) I'm > clean. Will be trying this out on my Ubuntu laptop as well.....awesome > teamwork!! thanks again!!! > > Just to add, I'm sure everyone has already read and implemented many of the suggestions here: http://wiki.centos.org/HowTos/Network/SecuringSSH Numbers 2 and 7 have already been highlighted in this thread.