Date: Mon, 4 May 2015 00:36:35 +0200 From: Polytropon <freebsd@edvax.de> To: jd1008 <jd1008@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-ID: <20150504003635.ea63061d.freebsd@edvax.de> In-Reply-To: <554667B9.2050205@gmail.com> References: <20150503123824.3faeca9e@seibercom.net> <CADy1Ce4fQCHFfX89ka6BX5fuwZ-%2BxzDUsq1TK_Geiwo03cMhcQ@mail.gmail.com> <554667B9.2050205@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 03 May 2015 12:23:53 -0600, jd1008 wrote: > More importantly, how do we disinfect? Reinstall the system? Stop running huge piles of PHP crapware. :-) Backup user data, verify (!) user data, reinstall from trusted sources, review installation result - that is an option. It's probably less work than trying to pry the malicious code out of "hidden" files within the mentioned PHP pile. > But the infiltration was done to a freshly installed system. Weak passwords? Stupid operation personnel? "Hi, my name is Bob from the Linux disinfection department. Can you tell me the root password please?" - "Sure, it's 12345." - "That's amazing. I've got the same combination on my luggage!" :-) > We need to know what filenames are involved!! You can use the "find" program to spot them. You'll quickly notice "obscured" files popping up in /var/tmp, especially because you do _not_ know those files. As far as I read, the backdoor relies on a cron job to restore infection after a reboot, so also check those. It's not a rootkit, that's why RKHunter et al. probably won't alert you, but using those for regular checking isn't any bad. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150504003635.ea63061d.freebsd>