From owner-freebsd-questions@FreeBSD.ORG Sun May 3 22:36:38 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1BF5DF3 for ; Sun, 3 May 2015 22:36:38 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7381213F0 for ; Sun, 3 May 2015 22:36:37 +0000 (UTC) Received: from r56.edvax.de (port-92-195-64-237.dynamic.qsc.de [92.195.64.237]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id 15785255FE; Mon, 4 May 2015 00:36:36 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t43MaZYd002297; Mon, 4 May 2015 00:36:35 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 4 May 2015 00:36:35 +0200 From: Polytropon To: jd1008 Cc: freebsd-questions@freebsd.org Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-Id: <20150504003635.ea63061d.freebsd@edvax.de> In-Reply-To: <554667B9.2050205@gmail.com> References: <20150503123824.3faeca9e@seibercom.net> <554667B9.2050205@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 May 2015 22:36:38 -0000 On Sun, 03 May 2015 12:23:53 -0600, jd1008 wrote: > More importantly, how do we disinfect? Reinstall the system? Stop running huge piles of PHP crapware. :-) Backup user data, verify (!) user data, reinstall from trusted sources, review installation result - that is an option. It's probably less work than trying to pry the malicious code out of "hidden" files within the mentioned PHP pile. > But the infiltration was done to a freshly installed system. Weak passwords? Stupid operation personnel? "Hi, my name is Bob from the Linux disinfection department. Can you tell me the root password please?" - "Sure, it's 12345." - "That's amazing. I've got the same combination on my luggage!" :-) > We need to know what filenames are involved!! You can use the "find" program to spot them. You'll quickly notice "obscured" files popping up in /var/tmp, especially because you do _not_ know those files. As far as I read, the backdoor relies on a cron job to restore infection after a reboot, so also check those. It's not a rootkit, that's why RKHunter et al. probably won't alert you, but using those for regular checking isn't any bad. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...