Subject: | |
From: | |
Reply To: | |
Date: | Wed, 30 Jul 2014 01:31:42 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
----- Original Message -----
> From: "Larry Linder" <[log in to unmask]>
> To: [log in to unmask]
> Sent: Tuesday, 29 July, 2014 11:23:48 PM
> Subject: Malware 3
>
> Is it contained in a OS file? as some others viruses where the file contains
> the orrig in the first 4096 bytes and the next block is the virus, and the
> rest of the file follows at 8096. So if you run something like "cp" the
> virus spread to all file in /bin.
Try to use rpm -V to verify the installed packages against contents of the file.
It can probably be scripted to something like this:
for r in $(rpm -qa);
do
rpm -V $r && echo "Checked $r: Pass" || echo "Checked $r: FAILED VERIFICATION";
done
> Any Ideas ??
> I didn't rewrite what is contained in the web page but just directed you to
> it. I don't think I would use a box in secure environment to examine this, I
> am just skeptical of everything I see anymore.
Is SELinux enabled and set to Enforcing? If yes, have any additional SELinux
policies been added?
Also consider to install some kind of bash/shell loggers and file loggers (such as
tripwire) to see if where files changes. If tripwire or similar tools are too heavy,
consider at least to use git (cd /; git init ; git add . ; git commit -s "Fresh install").
When the issue appears again, it should be possible to get a list of modified files with
'git diff' or 'git status'. But I'd expect the /.git folder to be reasonably big, so this
is truly just a "poor file tracker" for this purpose.
Other things to look more careful into is:
- What kind of services is publicly available?
- What kind of security measurements are taken in order to secure these services?
(iptables, mod_security for Apache, chroot, SELinux, etc, etc, process uid/gid)
- Who can access these services?
--
kind regards,
David Sommerseth
|
|
|