Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 May 2015 00:36:35 +0200
From:      Polytropon <freebsd@edvax.de>
To:        jd1008 <jd1008@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines
Message-ID:  <20150504003635.ea63061d.freebsd@edvax.de>
In-Reply-To: <554667B9.2050205@gmail.com>
References:  <20150503123824.3faeca9e@seibercom.net> <CADy1Ce4fQCHFfX89ka6BX5fuwZ-+xzDUsq1TK_Geiwo03cMhcQ@mail.gmail.com> <554667B9.2050205@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, 03 May 2015 12:23:53 -0600, jd1008 wrote:
> More importantly, how do we disinfect? Reinstall the system?

Stop running huge piles of PHP crapware. :-)

Backup user data, verify (!) user data, reinstall from trusted
sources, review installation result - that is an option. It's
probably less work than trying to pry the malicious code out
of "hidden" files within the mentioned PHP pile.



> But the infiltration was done to a freshly installed system.

Weak passwords? Stupid operation personnel? "Hi, my name is
Bob from the Linux disinfection department. Can you tell me
the root password please?" - "Sure, it's 12345." - "That's
amazing. I've got the same combination on my luggage!" :-)



> We need to know what filenames are involved!!

You can use the "find" program to spot them. You'll quickly
notice "obscured" files popping up in /var/tmp, especially
because you do _not_ know those files. As far as I read, the
backdoor relies on a cron job to restore infection after a
reboot, so also check those. It's not a rootkit, that's why
RKHunter et al. probably won't alert you, but using those
for regular checking isn't any bad.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20150504003635.ea63061d.freebsd>