[SAC] [OSGeo] #2162: OSGeo6 coin mining and other malware issues - investigate and mitigate
trac_osgeo at osgeo.org
Sat May 12 06:56:44 PDT 2018
#2162: OSGeo6 coin mining and other malware issues - investigate and mitigate
Reporter: robe | Owner: martin
Type: task | Status: assigned
Priority: critical | Milestone: Sysadmin Contract 2018-I
Component: Systems Admin | Keywords:
In last meeting we briefly discussed the issue of some sort of coin mining
process going on under the geotools account which Markus Neteler spotted.
Refer to list thread:
and excerpts from last meeting transcript:
20:03:04 robe2: next topic - osgeo6 coin mining issue
20:03:04 wildintellect: we should probably start discussing the
20:03:34 robe2: wildintellect I'll add that to the end of agenda
20:03:41 wildintellect: so I'll not this isn't the 1st time we've
caught a miner on an osgeo system
20:03:47 robe2: I think that might take a bit of discussion and
flow into after party
20:04:06 wildintellect: martin found one once, I can't recall
which machine, I think adhoc
20:04:17 wildintellect: that was clearly injected into a website
20:04:49 markusN: hi sorry for late
20:05:04 robe2: markusN I wasn't paying attention too closely were
you saying j was running under geotools account?
20:05:51 markusN: np
20:06:03 robe2: np?
20:07:08 robe2: anyway can we disable geotools LDAP account or at
very least remove for ldap_shell group?
20:07:21 robe2: ping strk you around?
20:09:54 TemptorSent: Check crontab entries.
20:10:53 wildintellect: there was a note that removing users from
the ldap_shell group doesnt' work
20:10:54 TemptorSent: Try to determine what the means of CnC is,
because backdoors or reentry ports are common with such tools.
20:11:08 markusN: I'm still convinced of resetting all
20:11:19 wildintellect: TemptorSent, do you have access to that
machine to poke around?
20:11:31 TemptorSent: No idea, and I'd rather not try.
20:12:03 markusN: (and I'm in Germany with totally crappy
mobile connection... on and off)
20:12:05 TemptorSent: It's asking for a compromise of passwords.
20:12:26 markusN: mhh
20:12:27 TemptorSent: Anyone logging in with a password should
subsequently reset their passwords.
20:12:45 wildintellect: ya that's part of the greater need to move
to key based
20:12:57 TemptorSent: Trojaning SSH is a time-honored
20:13:01 wildintellect: Martin will have a way to key based login
20:13:06 wildintellect: I believe I have that too
20:13:10 robe2: TemptorSent didn't see any jobs running under
20:13:14 wildintellect: so I could add more keys
20:13:15 robe2: that was first thing I checked
20:13:47 TemptorSent: depending on how good the hackere/kit,
they may be cloaked as 'nobody' even.
20:14:18 TemptorSent: A good trick is to pick the name of a
running process, clone it, and restart yourself periodically.
20:14:49 robe2: wildintellect you know if Martin has used up his
20:14:59 TemptorSent: To be honest, I wouldn't trust much of
anything without having proper logs and and audit list to check against.
20:15:01 robe2: or can we assign him to look into this issue
20:15:02 wildintellect: no idea, strk was overseeing that
20:15:20 robe2: and strk appears to be asleep :)
20:15:57 robe2: as I recall I think we asked Martin in last
meeting and he said he still had time but got tied up with other
emergencies in past 2 weeks or so
20:16:09 robe2: he was going to start putting in more time this
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2162>
OSGeo committee and general foundation issue tracker.
More information about the Sac