Good day! Michael, thank you very much for your professional recommendations! I will try to realize all of them.
> Do you have the user of the running process (ps -xau) ? Yes, My cryptominer process was runned under "tomcat" user. Zbitnieva Maiia, System administrator, Ukraine. среда, 28 июля 2021 г. в 16:31:58 UTC+3, Michael Plate: > Hi, > > Am 28.07.21 um 13:16 schrieb Maya Zbitneva: > > Good day! > > > > Michael, thank you very much for your professional consultation. It was > > real cryptominer in OS Ubuntu! > > Outch. > > > I succedeed to kill it. > > Do you have the user of the running process (ps -xau) ? > > > But I have the question about it. > > How to find the vulnerability from which the malware got in? > > That is the hard part. You can try http://www.chkrootkit.org/ (should be > in Ubuntu) but this also can produce false positives. It might also be > not the right tool… > > If you have no idea, no log files or anything, IMHO: > > ----> Install a new machine !! <---- > > Make a new machine, setup (Apache / Nginx), Tomcat and after basically > running, copy the DSpace files. > Change passwords and hope nothing awful is copied to the new machine. > Keep it closed - only https and ssh, keep the logins local (no Windows > join). > > > Because even if I removed the malware, it can come again using the same > > vulnerability it exploited earlier. > > This is what makes admins sleep bad. > > > Help me please, what security measures need to be taken to prevent the > > virus from entering the operating system again? > > I only can give you some simple tips, because I don't know you > organization, and there are standards you should keep on any machine > running on the internet. > > Do not expose any service to the internet which you don't need there - > if you are behind a network firewall, only https (port 443) for DSpace > needs to be accessible from outside - no ssh, no network files systems > etc. Try a port scan from outside. > > Update your OS regulary, on DSpace especially Java. > > Backup - and restore ! Try the restore on a new machine an get a feeling > for that, note down the steps. > > If your DSpace is also file-, mail- and print-server, there is something > really wrong - try to split that. > > Find a local Linux community to get better help. > > But maybe you made everything OK - this still can happen :( . > > CU > > Michael > > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/56e9868b-6bf3-4496-a09a-fdf157ee0f54n%40googlegroups.com.
