plagued by malware
Hello everyone, first post on this forum!
I am a new user of linux and apparently, due to work requirements I am required to manage a linux DB server. However there is a major problem with it right now. It seems that the DB server has been infected by some kind of malware/virus/bot, that's making constant and ALOT of outgoing transmissions particularly to China. The name of this thing is called "dafa2016". I tried to google it up, but I'm not getting much info on it. I do have linux malware detect but it does not detect anything. I have since blocked all outgoing connections from the particular server on my firewall to prevent it from causing slow network. I had some basic help from a colleague to trace the directory of this malware and to remove it, but it is regenerating itself. Seriously need help on this. If more information is required, please do let me know. I'll try my best to provide. |
Hi,
Welcome to the forum! And...with a great one too... Okay, some basics. Got rkhunter installed? Let's start here. You do know Linux has regular security updates. Whan last did you update the system? Is it a rolling release? Not optimal for a server. So, if the one you have now is EOL...get ready to camp out on the office...for a weekend. Is the server for the office only? Or on the net? Reason is: if it's for the office only, you have no pressure, well...less pressure... If it is EOL, a backup of the data, and a re-install and I think that'll do it... What brand (distro) do you use? If it regenerates itself, there can be two reasons: either you did not yet find the root of the thing, or there is a rootkit and the stuff is re-installed remotely... I round off my questions with some links, one on malware removal, on detecting and one extract from a forum... We're all here for you, so good luck... Melissa |
Quote:
No, I don't have this rkhunter installed. This linux system is actually for a managed services vendor(Sciencelogic). The version was recently updated last November. The server is for the office. I'll take a look at the links that you provided! |
Quote:
When did the malware come to light? Possibly...AFTER the update... My systems update on a weekly base... I'd go for an install of rkhunter... It's for the office, that is good, annoying about the malware, but...good... So, what distro was that again? Try to paste/replicate/type the output of this: Code:
uname -a Melissa |
Quote:
Linux newio_sldb01 2.6.18-406.el5 #1 SMP Tue Jun 2 17:25:57 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux |
Emm, okay, a few names:
debian ubuntu fedora any of these ring a bell? Melissa |
Quote:
|
Quote:
Quote:
Quote:
Please become root and post full output (see "/tmp/.log.txt") of Code:
( \ps axfwwwe 2>&1; lsof -Pwln 2>&1; netstat -antupe 2>&1; lastlog 2>&1; last -wai30 2>&1; cat /var/spool/cron/* 2>&1; find /etc/ -type f -print0 2>&1|xargs -0 -iX rpm -qf 'X' 2>&1 ) | tee /tmp/.log.txt |
1 Attachment(s)
Quote:
|
You sure have a lot of active root logins, and I can see 2 IPs logged in from Singapore. Assuming those 2 logins are legitimate SSH session, it is actually a good practice to DISABLE root logins via SSH. In case those 2 logins are NOT legitimate, you should panic now. Then kill those sessions.
Code:
root pts/0 Mon Mar 28 10:39 still logged in 10.10.8.104 |
Quote:
Couple of things: - Obviously root should not ever be allowed to log in over SSH, - There's also some "phonehome" user accounts, - There is a process running as root with PID 27256 - There's the "/etc/rc.d/init.d/DbSecuritySpt" indicative of ValdikSS/billgates-botnet-tracker (see for example https://www.linuxquestions.org/quest...1/). In short: root compromise, ergo isolate the machine from the network now. |
Quote:
|
Quote:
If I may sugest, in light of this: Quote:
Next, indeed, do disallow root access over SSH...because: Quote:
Edit - for this suggestion I stand open for critique as it is somewhat far fetched...open passwd (usualy found in /etc) and check if any account other than root has root rights... Root is identified by group 0 (as I was told) in the image, entry 3 |
Quote:
Security is a continuous process requiring a layered approach. Any software in the web stack that is not updated, stale, unsupported or outright vulnerable is low hanging fruit. Each OS comes with installation, admin and security documentation and documentation of software in the web stack often has a specific security section. It's just that people often don't read much, don't care enough or outright neglect admin best practices. This is what you get. Here the only approach is to set up a new server, harden it properly and then migrate data but only after thorough inspection. |
Quote:
@ OP - please dont take my input a fool proof :) Melissa (looking on, with intense interest) |
All times are GMT -5. The time now is 12:57 AM. |