Rachel plays Linux via plug on 3 Sep 2023 11:08:06 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Malware Webshell Infection. - Advice Needed

Jeff's advice is perfect here. You should do a rebuild from scratch after checking through your backups and running diffs to see when that wso file popped up and if there were any other changes you might not have made.

Generate all new passwords for everything from SSH to web accounts, and if your cloud provider has any kind of two-factor authentication enabled, use it.

Rachel 

On Sun, Sep 3, 2023, 11:55 AM jeffv via plug <plug@lists.phillylinux.org> wrote:
That sucks.
Do a little research on it, but in the interest of security, always
rebuild. Hopefully the research will allow you to discover the vector,
if the person who wrote wasn't correct. If correct, check with your
host. Might be a good idea to check with them regardless.

Ask yourself what's the worst that can happen either way and you have
your answer.

Good luck.



On 9/3/23 05:58, Casey Bralla via plug wrote:
> This morning, I received this eMail.  Originally I thought it was a
> scam, but looks like it might be true.  Here is the eMail (with redacted
> specifics)
>
>
>     Hello Casey,
>     Your cloud server that is hosting: [URL] and [URL] has been
>     compromised on 2022-05-28 at 21:58, server time. I am not the threat
>     actor, i stumbled across your server in a Shodan search.
>     Your server with IP [IP Address] and [URL] has directory listing
>     enabled and you can see a webshell present there, wso.php, This
>     probably happened because your server shares the webroot with rsync
>     without authentication, someone used this to upload the webshell.
>     The webshell has a default password of ghost287, is ran with the
>     permissions of the www-data user so it's not possible to do heavy
>     damage without escalating privileges but i highly encourage you to
>     remove it to prevent further problems for your server.
>     Please answer if you need help to remove the webshell.
>     Kind regards
>
> The file wso.php was present in /var/www along with another text file
> that looked like it had a password in it.  I've deleted those files. 
> But I'm wondering what my next course of action should be?
>
> Should I completely shutdown and rebuild the servers (not too hard, I've
> got copies of the important files)?
>
> Should I ask the author of this eMail for help as he offered?
>
> Should I delete the 2 files and forget about it?
>
> Obviously, I will be changing passwords, but could a bad person already
> have penetrated enough to see me change them and get the new passwords also?
>
> Any advice would be appreciated.
>
>
> --
> LEGAL NOTICE:  This eMail contains private, personal, and/or privileged
> information and is only for the intended recipient(s).  In fact, you
> really should consider yourself honored to even be cc'd on this
> tremendously important communication.  The author spent literally
> seconds composing this magnificent opus of rational thought and
> deductive logic.  Unfortunately, it has probably been based on
> inaccurate data, which really stinks because this eMail would have been
> truly awesome!  If you have received this eMail in error, we
> respectfully DEMAND that you immediately delete it and inform the sender
> that you have received it in error.  Then, just to be safe, you should
> reformat your hard drive, shave your head, renounce all material
> possessions (which are really controlling your life anyway), and join an
> end-of-times cult somewhere.  Once there, you must reconsider all the
> terrible choices you've made in your life, and promise never to confuse
> "sex" with "gender" again.  Of course, this assumes you have already
> come to terms with your inherent whiteness, AND that you have learned
> the lyrics to The Internationale. "Arise, wretched of the earth!  Arise,
> convicts of hunger..."
> (https://en.wikipedia.org/wiki/The_Internationale)
> We sincerely hope you are able to get your medication stabilized and no
> longer have that recurring dream where you're alone in a large crowd,
> standing naked in a vat of chocolate Yoo-hoo.  BTW, Yoo-hoo really is an
> underrated beverage.  It’s chocolatey, yet suprisingly refreshing. Pick
> up a 6-pack today, and tell your friends!
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug