0

My host sent a notification that says server is infected with a malware, it doesn't seem very popular. The Symantec site about this malware shows windows machines as targets, but not CentOS.

  • Anyone knows what this malware does exactly ?
  • What are the chances that this is a false alarm?
  • Can I install any easy-to-use tool that can safely scan my system from SSH without breaking any system files ?

In the last 24 hours, Symantec analysts have identified malware configured to communicate with resources on your network. The malware and your related resources are listed below.

MD5 Detection ASN Description b83ff89585d668c3ca96b34b44da4093 Backdoor.Graybird!Gen 16265 www.dymll.com, 82.192.XXX.XXX, 82.192.XXX.0/19, ripencc, NL, FIBERRING LeaseWeb B.V.,NL

Please use this information to investigate the potential abuse of your network, and take corrective actions based on your own internal procedures.

adrianTNT
  • 1,007
  • 5
  • 21
  • 41

1 Answers1

2

It is possible your server doesn't run the malware itself, but a command and control or relay server. You should check your server thoroughly for any software that you didn't install. It is entirely possible that your server isn't actually infected, but the malware tries to communicate with your server anyway and that's what was detected.

Without completeness, you should at least run the following checks:

  • Open listen ports with netstat -nlp
  • Full portscan on open ports (e.g. with nmap)
  • chkrootkit and / or rkhunter
  • Running processes with ps auwfx
  • Inspect network traffic for suspicious packets.

If you do not know how to read these, you need to get help from a professional Linux system administrator to clean this up and you shoud probably reconsider running a server without the proper knowledge. There is no automated turnkey solution to remove backdoors with 100% accuracy.

Janos Pasztor
  • 279
  • 2
  • 6