Date: Sun, 3 May 2015 20:36:07 +0200 From: Eduardo Morras <emorrasg@yahoo.es> To: freebsd-questions@freebsd.org Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-ID: <20150503203607.a4b200aa5e45360077937dd1@yahoo.es> In-Reply-To: <554667B9.2050205@gmail.com> References: <20150503123824.3faeca9e@seibercom.net> <CADy1Ce4fQCHFfX89ka6BX5fuwZ-%2BxzDUsq1TK_Geiwo03cMhcQ@mail.gmail.com> <554667B9.2050205@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 03 May 2015 12:23:53 -0600 jd1008 <jd1008@gmail.com> wrote: > More importantly, how do we disinfect? Reinstall the system? > But the infiltration was done to a freshly installed system. > We need to know what filenames are involved!! You have the original news here: http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/ Here you can download a pdf describing it: http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf And more info: http://thehackernews.com/2015/05/Mumblehard-Linux-Malware.html Last lines say: "Web server administrators should check their servers for Mumblehard infections by looking for the so-called unwanted cronjob entries added by the malware in an attempt to activate the backdoor every 15-minute increments. The backdoor is generally located in the /var/tmp or /tmp folders. You can deactivate this backdoor by mounting the tmp directory with the noexec option." HTH --- --- Eduardo Morras <emorrasg@yahoo.es>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150503203607.a4b200aa5e45360077937dd1>