Unnoticed for years, malware turned Linux and BSD servers into spamming machines
Polytropon
freebsd at edvax.de
Sun May 3 22:36:38 UTC 2015
On Sun, 03 May 2015 12:23:53 -0600, jd1008 wrote:
> More importantly, how do we disinfect? Reinstall the system?
Stop running huge piles of PHP crapware. :-)
Backup user data, verify (!) user data, reinstall from trusted
sources, review installation result - that is an option. It's
probably less work than trying to pry the malicious code out
of "hidden" files within the mentioned PHP pile.
> But the infiltration was done to a freshly installed system.
Weak passwords? Stupid operation personnel? "Hi, my name is
Bob from the Linux disinfection department. Can you tell me
the root password please?" - "Sure, it's 12345." - "That's
amazing. I've got the same combination on my luggage!" :-)
> We need to know what filenames are involved!!
You can use the "find" program to spot them. You'll quickly
notice "obscured" files popping up in /var/tmp, especially
because you do _not_ know those files. As far as I read, the
backdoor relies on a cron job to restore infection after a
reboot, so also check those. It's not a rootkit, that's why
RKHunter et al. probably won't alert you, but using those
for regular checking isn't any bad.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list