Opened 7 years ago
Closed 6 years ago
#2162 closed task (fixed)
OSGeo6 coin mining and other malware issues - investigate and mitigate
| Reported by: | robe | Owned by: | martin |
|---|---|---|---|
| Priority: | critical | Milestone: | Sysadmin Contract 2019-I |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
In last meeting we briefly discussed the issue of some sort of coin mining process going on under the geotools account which Markus Neteler spotted.
Refer to list thread:
https://lists.osgeo.org/pipermail/sac/2018-May/010001.html
https://lists.osgeo.org/pipermail/sac/2018-May/010017.html
and excerpts from last meeting transcript:
20:03:04 robe2: next topic - osgeo6 coin mining issue 20:03:04 wildintellect: we should probably start discussing the setup plan 20:03:34 robe2: wildintellect I'll add that to the end of agenda today 20:03:41 wildintellect: so I'll not this isn't the 1st time we've caught a miner on an osgeo system 20:03:47 robe2: I think that might take a bit of discussion and flow into after party 20:04:06 wildintellect: martin found one once, I can't recall which machine, I think adhoc 20:04:17 wildintellect: that was clearly injected into a website 20:04:49 markusN: hi sorry for late 20:05:04 robe2: markusN I wasn't paying attention too closely were you saying j was running under geotools account? 20:05:51 markusN: np 20:06:03 robe2: np? 20:07:08 robe2: anyway can we disable geotools LDAP account or at very least remove for ldap_shell group? 20:07:21 robe2: ping strk you around? 20:09:54 TemptorSent: Check crontab entries. 20:10:53 wildintellect: there was a note that removing users from the ldap_shell group doesnt' work 20:10:54 TemptorSent: Try to determine what the means of CnC is, because backdoors or reentry ports are common with such tools. 20:11:08 markusN: I'm still convinced of resetting all accounts 20:11:19 wildintellect: TemptorSent, do you have access to that machine to poke around? 20:11:31 TemptorSent: No idea, and I'd rather not try. 20:12:03 markusN: (and I'm in Germany with totally crappy mobile connection... on and off) 20:12:05 TemptorSent: It's asking for a compromise of passwords. 20:12:26 markusN: mhh 20:12:27 TemptorSent: Anyone logging in with a password should subsequently reset their passwords. 20:12:45 wildintellect: ya that's part of the greater need to move to key based 20:12:57 TemptorSent: Trojaning SSH is a time-honored tradition., 20:13:01 wildintellect: Martin will have a way to key based login as root 20:13:06 wildintellect: I believe I have that too 20:13:10 robe2: TemptorSent didn't see any jobs running under geotools account 20:13:14 wildintellect: so I could add more keys 20:13:15 robe2: that was first thing I checked 20:13:47 TemptorSent: depending on how good the hackere/kit, they may be cloaked as 'nobody' even. 20:14:18 TemptorSent: A good trick is to pick the name of a running process, clone it, and restart yourself periodically. 20:14:49 robe2: wildintellect you know if Martin has used up his contract yet? 20:14:59 TemptorSent: To be honest, I wouldn't trust much of anything without having proper logs and and audit list to check against. 20:15:01 robe2: or can we assign him to look into this issue further 20:15:02 wildintellect: no idea, strk was overseeing that 20:15:20 robe2: and strk appears to be asleep :) 20:15:57 robe2: as I recall I think we asked Martin in last meeting and he said he still had time but got tied up with other emergencies in past 2 weeks or so 20:16:09 robe2: he was going to start putting in more time this coming week.
Change History (4)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
| Milestone: | Sysadmin Contract 2018-I → Sysadmin Contract 2019-I |
|---|
Note:
See TracTickets
for help on using tickets.
As discussed in today's SAC meeting, I'll pursue a check of the system binaries for known suspects.