What is a malware attack ? How to take steps to resolve it ?
Malware is a type of server compromise where malicious code is running on your server. You could have malware uploaded through ssh (if ssh password or key is compromised), code injection or SQL injection (uploaded through a website where it is not checked thoroughly) or through any vulnerable services running on the server. They could also
The impact of malware on your server can result in outbound attacks occurring from your server, run suspicious processes mining bitcoins, send spam emails etc. They could also be dormant and give a backdoor to an attacker to get into the server.
- How to troubleshoot and resolve it ?
- First, you would need to determine the extent of the compromise by checking for suspicious processes by using the ps command. If there are compromised processes running as root, then you should assume this to be a root compromised system and build a new server and migrate.
The first thing to determine in starting to cleanup a server with malware is to do the following
- Check for suspicious processes and kill them and clean the files on those paths
- Turn off any services not being used
- Block all outbound connections from the server until malware issue is resolved alternatively turn off all services to prevent any outbound attacks
- Check for suspicious files in your web root and any suspicious cron entries
- Check for any recently modified files by using the find command. A typical example would be to search for all files in the last 7 days using find command find . -name ‘.ph -ctime -7’
- Check for filenames with unusual extensions
- Run any malware opensource scanner like maldet to scan the entire system to determine malware.
- Check logs for ssh and webservers and any other custom service running on the server to determine how the malware attack happened. This will assist further to help further secure the systems to prevent a further attack.
In general the following steps can be taken to improve the security of the system to prevent any attacks on the server
- Use ssh keys and disable ssh passwords to improve the security of the login process
- Run a periodic malware scanner like maldet to detect any anomalous files on the server
- Use a WAF like mod_security or any alternate service like cloudflare with WAF to secure public websites
- Use a rootkit detection tool or a tripwire tool to detect any suspicious activity on the server
- Periodically ensure backups for the servers are taken
Please note that this document is provided for the benefit of our customers and the community at large. E2E Networks is not responsible for any inadvertent issues arising out of trying out any of the advise here or using by any of the tools
In case any of your server at E2E Networks is compromised, Please note that during the entire process, we request you to communicate and kindly take immediate action to fix the issue as the lack of response or resolution of the issue would be a contravention of IT Act 2000 and would lead to disabling of the public network.