----- Original Message -----
> From: "Larry Linder" <[log in to unmask]>
> To: [log in to unmask]
> Sent: Tuesday, 29 July, 2014 11:23:48 PM
> Subject: Malware 3
> 
> Is it contained in a OS file?  as some others viruses where the file contains
> the orrig in the first 4096 bytes and the next block is the virus, and the
> rest of the file follows at 8096.   So if you run something like "cp" the
> virus spread to all file in /bin.

Try to use rpm -V to verify the installed packages against contents of the file.
It can probably be scripted to something like this:

  for r in $(rpm -qa);
  do
     rpm -V $r && echo "Checked $r: Pass" || echo "Checked $r: FAILED VERIFICATION";
  done

> Any Ideas ??
> I didn't rewrite what is contained in the web page but just directed you to
> it.  I don't think I would use a box in secure environment to examine this, I
> am just skeptical of everything I see anymore.

Is SELinux enabled and set to Enforcing?  If yes, have any additional SELinux
policies been added?

Also consider to install some kind of bash/shell loggers and file loggers (such as
tripwire) to see if where files changes.  If tripwire or similar tools are too heavy,
consider at least to use git (cd /; git init ; git add . ; git commit -s "Fresh install").
When the issue appears again, it should be possible to get a list of modified files with
'git diff' or 'git status'.  But I'd expect the /.git folder to be reasonably big, so this
is truly just a "poor file tracker" for this purpose.

Other things to look more careful into is:

 - What kind of services is publicly available?
 - What kind of security measurements are taken in order to secure these services?
   (iptables, mod_security for Apache, chroot, SELinux, etc, etc, process uid/gid)
 - Who can access these services?


--
kind regards,

David Sommerseth