Re: [PLUG] Malware Webshell Infection.

Rich Freeman via plug <plug@lists.phillylinux.org> · Sun, 3 Sep 2023 15:34:14 -0400

On Sun, Sep 3, 2023 at 2:07 PM Rachel plays Linux via plug
<plug@lists.phillylinux.org> wrote:
>
> Jeff's advice is perfect here. You should do a rebuild from scratch after checking through your backups and running diffs to see when that wso file popped up and if there were any other changes you might not have made.

++

It is best to separate the software from the content, and have
everything in an offline scm (git/etc).  If something like this
happens, just fix the exploit on the software side in the scm, and
then deploy a new host, and then load the data from your scm.

That obviously applies to static stuff.  If the application stores
data the separation of concerns still applies.  All the stuff you care
about should be in a database or file/object store where nothing gets
executed, so there shouldn't be anything nefarious in there.

I'm not quite 100% at this point but just about everything new that I
deploy works this way.  I'm a big fan of containers for this reason.
Solutions like docker/k8s basically work that way by default - when it
is time to update your software you just delete the server and deploy
a new one, and it attaches to the existing data.

Sure, you can try to find everything they messed with, but that's a
cat and mouse game, and if you miss something then you will continue
to have an intrusion, which you might not even realize until somebody
helpfully (or not so helpfully) points it out to you again.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug