The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]

форумы  помощь  поиск  регистрация  вход/выход  слежка  RSS
"Сервер CentOS заражен вирусом gozi?"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Информационная безопасность (Безопасность системы / Другая система)
Изначальное сообщение [ Отслеживать ]

"Сервер CentOS заражен вирусом gozi?"  +/
Сообщение от Witali (ok) on 07-Фев-17, 14:44 
Есть выделенный сервер под CentOS 6 - Minimal.

Его IP оказался в черном списке CBL с формулировкой "This IP is infected with, or is NATting for a machine infected with s_gozi" (полный текст ниже) и многие почтовые серверы теперь блокируют с него почту.

Предлагаемые инструменты не подходят, т.к. они по Windows, т.к. gozi заточен под Windows.

Поддержка запустила антивирус, но он ничего не нашел.

Поддержка запустила: tcpdump -nnvvXS host 87.106.18.141(тогда CBL выдавало другой адрес) -w /root/traf.pcap -c 100000
но никаких обращений к 87.106.18.141 зафиксировано не было.

А CBL говорит что активность есть: "It was last detected at 2017-02-07 01:00 GMT "

Какие будут идеи?

Полный текст:

IP Address 1.1.1.1 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2017-02-07 01:00 GMT (+/- 30 minutes), approximately 8 hours ago.

It has been relisted following a previous removal at 2017-01-20 17:55 GMT (17 days, 15 hours, 5 minutes ago)

This IP is infected with, or is NATting for a machine infected with s_gozi

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.

This was detected by a TCP/IP connection from "1.1.1.1" on port "53194" going to IP address "192.42.116.41" (the sinkhole) on port "80".

The botnet command and control domain for this connection was "ebinburg.ru".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address "192.42.116.41" or host name "ebinburg.ru" on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to "192.42.116.41" or "ebinburg.ru". See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

Please note that some of the above quoted information may be empty ("") or "na" or "-". In those cases, the feed has declined or is unable to give us that information. Hopefully enough information will be present to allow you to pinpoint the connections. If not, the destination ports to check are usually port 80, 8080, 443 or high ports (around 16000) outbound from your network. Most of these infections spray these connections in high volume, and they should stand out.

This detection corresponds to a connection at 2017-02-07 00:55:04 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по ответам | RSS]

1. "Сервер CentOS заражен вирусом gozi?"  +/
Сообщение от PavelR (??) on 07-Фев-17, 19:37 
>[оверквотинг удален]
> почту.
> Предлагаемые инструменты не подходят, т.к. они по Windows, т.к. gozi заточен под
> Windows.
> Поддержка запустила антивирус, но он ничего не нашел.
> Поддержка запустила: tcpdump -nnvvXS host 87.106.18.141(тогда CBL выдавало другой адрес)
> -w /root/traf.pcap -c 100000
> но никаких обращений к 87.106.18.141 зафиксировано не было.
> А CBL говорит что активность есть: "It was last detected at 2017-02-07
> 01:00 GMT "
> Какие будут идеи?

1) Вы от записи трафика какой эффект ожидали получить?
Допустим, в трафике есть такие запросы. Что дальше?

2) Т.к. адреса меняются, надо писать весь трафик на указанные порты, а не один айпи.
Потом по результатам обновления страницы CBL можно сделать поиск в записанном трафике.

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору


Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема


  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor