----- Original Message -----
> From: "Larry Linder" <[email protected]>
> To: [email protected]
> Sent: Tuesday, 29 July, 2014 11:23:48 PM
> Subject: Malware 3
>
> Is it contained in a OS file? as some others viruses where the file contains
> the orrig in the first 4096 bytes and the next block is the virus, and the
> rest of the file follows at 8096. So if you run something like "cp" the
> virus spread to all file in /bin.
Try to use rpm -V to verify the installed packages against contents of the file.
It can probably be scripted to something like this:
for r in $(rpm -qa);
do
rpm -V $r && echo "Checked $r: Pass" || echo "Checked $r: FAILED
VERIFICATION";
done
> Any Ideas ??
> I didn't rewrite what is contained in the web page but just directed you to
> it. I don't think I would use a box in secure environment to examine this, I
> am just skeptical of everything I see anymore.
Is SELinux enabled and set to Enforcing? If yes, have any additional SELinux
policies been added?
Also consider to install some kind of bash/shell loggers and file loggers (such
as
tripwire) to see if where files changes. If tripwire or similar tools are too
heavy,
consider at least to use git (cd /; git init ; git add . ; git commit -s "Fresh
install").
When the issue appears again, it should be possible to get a list of modified
files with
'git diff' or 'git status'. But I'd expect the /.git folder to be reasonably
big, so this
is truly just a "poor file tracker" for this purpose.
Other things to look more careful into is:
- What kind of services is publicly available?
- What kind of security measurements are taken in order to secure these
services?
(iptables, mod_security for Apache, chroot, SELinux, etc, etc, process
uid/gid)
- Who can access these services?
--
kind regards,
David Sommerseth
