From owner-freebsd-questions@FreeBSD.ORG Sun May 3 18:36:09 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 113B13BD for ; Sun, 3 May 2015 18:36:09 +0000 (UTC) Received: from nm35-vm9.bullet.mail.ir2.yahoo.com (nm35-vm9.bullet.mail.ir2.yahoo.com [212.82.97.132]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F3161A07 for ; Sun, 3 May 2015 18:36:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1430678159; bh=tEyk+qE+x2Svl+TcuRo2lJbKswBUjET/NrOAoZ/8JGo=; h=Date:From:To:Subject:In-Reply-To:References:From:Subject; b=etK8hCtGYR/WdC5lVdwBmATkGlnGMbaN5f28tFV/A+yzdIyBNJA+wDPaESZlSMzpgYI5wrCtUKatK+SBiW4J+5eqfIAvGAHoft8Z6kK3EcVvjTTSHY3QEik1m6mEzgKnfLqygCawZ0zCtkZySVbtbtqzDtAD2fUO33rY+x7yAu3NqqKGISXgiYnntedKnTvJOGPRUQGBBTvvjN0m0Znsp6Pe9zPT0o9yEbtVOLN9h03yLcWsmkWntZM5kL44F8WaWqucewwk6aamgkZHXJpeTDEGqcyr/WqEGI2+CKZmzEg7xn0Ozyd/HZi1kuky/3oSljjwfNdnOKIgVkE8G7nJUw== Received: from [212.82.98.127] by nm35.bullet.mail.ir2.yahoo.com with NNFMP; 03 May 2015 18:35:59 -0000 Received: from [46.228.39.74] by tm20.bullet.mail.ir2.yahoo.com with NNFMP; 03 May 2015 18:35:58 -0000 Received: from [127.0.0.1] by smtp111.mail.ir2.yahoo.com with NNFMP; 03 May 2015 18:35:58 -0000 X-Yahoo-Newman-Id: 933111.319.bm@smtp111.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: mNaTjwcVM1kNWtsK2yuOEYZicnD4BjUbMjDZnB5g..Q_M_N FVgMbZwlZt4ylFCMui94tY99yPqdOHvFVKYtiUqx_izOUKuHvduUFeZHi6UH A0eB8LFpl6ZtZRr8B1.6TAZmP0.Es1aBK4atW76XV9WnIU4TqFLjmOPI4QRA vjhFlifwAkEvbwmg9MFhVHlEAU8obyY5uDgRNYf1a85hzq0wbRGc4sy8oQ3m EfK.slLOG7nDJFLfHCEW5fMcr3XwenDEm4x2Bcd9xtlgpYSx6SdAoOw_DJPh q7iyMERRBnZ3LsoeMP7byFU6DXhoOqNxXsmFEbjuTuvGCdMNdPvQu4acNUcC k75NjC3tu3TV1UROFu3gXdNU1NeqV8VrQg792xBTMNi68.4So2vWrY6vwNPl sHMTcHSELFRuGfa9ZdFWr8O1hG.xTYgwvpriTcD0fgRvqLdzcfY1HJRSZSPj bJwIUanB8fPvHpoFgrs1Yof9QCZnEpUP3ppVRCiFljYcjk_.UxlyXbdcBhQ- - X-Yahoo-SMTP: mX392iiswBAeJNdO_s.EW62LZDJR Date: Sun, 3 May 2015 20:36:07 +0200 From: Eduardo Morras To: freebsd-questions@freebsd.org Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-Id: <20150503203607.a4b200aa5e45360077937dd1@yahoo.es> In-Reply-To: <554667B9.2050205@gmail.com> References: <20150503123824.3faeca9e@seibercom.net> <554667B9.2050205@gmail.com> X-Mailer: Sylpheed 3.4.2 (GTK+ 2.24.27; amd64-portbld-freebsd9.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 May 2015 18:36:09 -0000 On Sun, 03 May 2015 12:23:53 -0600 jd1008 wrote: > More importantly, how do we disinfect? Reinstall the system? > But the infiltration was done to a freshly installed system. > We need to know what filenames are involved!! You have the original news here: http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/ Here you can download a pdf describing it: http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf And more info: http://thehackernews.com/2015/05/Mumblehard-Linux-Malware.html Last lines say: "Web server administrators should check their servers for Mumblehard infections by looking for the so-called unwanted cronjob entries added by the malware in an attempt to activate the backdoor every 15-minute increments. The backdoor is generally located in the /var/tmp or /tmp folders. You can deactivate this backdoor by mounting the tmp directory with the noexec option." HTH --- --- Eduardo Morras