OSGeo6 coin mining and other malware issues - investigate and mitigate

[robe]

In last meeting we briefly discussed the issue of some sort of coin mining process going on under the geotools account which Markus Neteler spotted.

Refer to list thread:

​https://lists.osgeo.org/pipermail/sac/2018-May/010001.html

​https://lists.osgeo.org/pipermail/sac/2018-May/010017.html

and excerpts from last meeting transcript:

20:03:04	robe2:	next topic - osgeo6 coin mining issue
20:03:04	wildintellect:	we should probably start discussing the setup plan
20:03:34	robe2:	wildintellect I'll add that to the end of agenda today
20:03:41	wildintellect:	so I'll not this isn't the 1st time we've caught a miner on an osgeo system
20:03:47	robe2:	I think that might take a bit of discussion and flow into after party
20:04:06	wildintellect:	martin found one once, I can't recall which machine, I think adhoc
20:04:17	wildintellect:	that was clearly injected into a website
20:04:49	markusN:	hi sorry for late
20:05:04	robe2:	markusN I wasn't paying attention too closely were you saying j was running under geotools account?
20:05:51	markusN:	np
20:06:03	robe2:	np?
20:07:08	robe2:	anyway can we disable geotools LDAP account or at very least remove for ldap_shell group?
20:07:21	robe2:	ping strk you around?
20:09:54	TemptorSent:	Check crontab entries.
20:10:53	wildintellect:	there was a note that removing users from the ldap_shell group doesnt' work
20:10:54	TemptorSent:	Try to determine what the means of CnC is, because backdoors or reentry ports are common with such tools.
20:11:08	markusN:	I'm still convinced of resetting all accounts
20:11:19	wildintellect:	TemptorSent, do you have access to that machine to poke around?
20:11:31	TemptorSent:	No idea, and I'd rather not try.
20:12:03	markusN:	(and I'm in Germany with totally crappy mobile connection... on and off)
20:12:05	TemptorSent:	It's asking for a compromise of passwords.
20:12:26	markusN:	mhh
20:12:27	TemptorSent:	Anyone logging in with a password should subsequently reset their passwords.
20:12:45	wildintellect:	ya that's part of the greater need to move to key based
20:12:57	TemptorSent:	Trojaning SSH is a time-honored tradition.,
20:13:01	wildintellect:	Martin will have a way to key based login as root
20:13:06	wildintellect:	I believe I have that too
20:13:10	robe2:	TemptorSent didn't see any jobs running under geotools account
20:13:14	wildintellect:	so I could add more keys
20:13:15	robe2:	that was first thing I checked
20:13:47	TemptorSent:	depending on how good the hackere/kit, they may be cloaked as 'nobody' even.
20:14:18	TemptorSent:	A good trick is to pick the name of a running process, clone it, and restart yourself periodically.
20:14:49	robe2:	wildintellect you know if Martin has used up his contract yet?
20:14:59	TemptorSent:	To be honest, I wouldn't trust much of anything without having proper logs and and audit list to check against.
20:15:01	robe2:	or can we assign him to look into this issue further
20:15:02	wildintellect:	no idea, strk was overseeing that
20:15:20	robe2:	and strk appears to be asleep :)
20:15:57	robe2:	as I recall I think we asked Martin in last meeting and he said he still had time but got tied up with other emergencies in past 2 weeks or so
20:16:09	robe2:	he was going to start putting in more time this coming week.

[martin]

As discussed in today's SAC meeting, I'll pursue a check of the system binaries for known suspects.

[neteler]

I suggest to close this ticket as being solved for the time being.

[robe]

Agree