Unnoticed for years, malware turned Linux and BSD servers into spamming machines
freebsd at edvax.de
Sun May 3 22:36:38 UTC 2015
On Sun, 03 May 2015 12:23:53 -0600, jd1008 wrote:
> More importantly, how do we disinfect? Reinstall the system?
Stop running huge piles of PHP crapware. :-)
Backup user data, verify (!) user data, reinstall from trusted
sources, review installation result - that is an option. It's
probably less work than trying to pry the malicious code out
of "hidden" files within the mentioned PHP pile.
> But the infiltration was done to a freshly installed system.
Weak passwords? Stupid operation personnel? "Hi, my name is
Bob from the Linux disinfection department. Can you tell me
the root password please?" - "Sure, it's 12345." - "That's
amazing. I've got the same combination on my luggage!" :-)
> We need to know what filenames are involved!!
You can use the "find" program to spot them. You'll quickly
notice "obscured" files popping up in /var/tmp, especially
because you do _not_ know those files. As far as I read, the
backdoor relies on a cron job to restore infection after a
reboot, so also check those. It's not a rootkit, that's why
RKHunter et al. probably won't alert you, but using those
for regular checking isn't any bad.
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions