#2162: OSGeo6 coin mining and other malware issues - investigate and mitigate
---------------------------+--------------------------------------
Reporter: robe | Owner: martin
Type: task | Status: assigned
Priority: critical | Milestone: Sysadmin Contract 2018-I
Component: Systems Admin | Keywords:
---------------------------+--------------------------------------
In last meeting we briefly discussed the issue of some sort of coin mining
process going on under the geotools account which Markus Neteler spotted.
Refer to list thread:
https://lists.osgeo.org/pipermail/sac/2018-May/010001.html
https://lists.osgeo.org/pipermail/sac/2018-May/010017.html
and excerpts from last meeting transcript:
{{{
20:03:04 robe2: next topic - osgeo6 coin mining issue
20:03:04 wildintellect: we should probably start discussing the
setup plan
20:03:34 robe2: wildintellect I'll add that to the end of agenda
today
20:03:41 wildintellect: so I'll not this isn't the 1st time we've
caught a miner on an osgeo system
20:03:47 robe2: I think that might take a bit of discussion and
flow into after party
20:04:06 wildintellect: martin found one once, I can't recall
which machine, I think adhoc
20:04:17 wildintellect: that was clearly injected into a website
20:04:49 markusN: hi sorry for late
20:05:04 robe2: markusN I wasn't paying attention too closely were
you saying j was running under geotools account?
20:05:51 markusN: np
20:06:03 robe2: np?
20:07:08 robe2: anyway can we disable geotools LDAP account or at
very least remove for ldap_shell group?
20:07:21 robe2: ping strk you around?
20:09:54 TemptorSent: Check crontab entries.
20:10:53 wildintellect: there was a note that removing users from
the ldap_shell group doesnt' work
20:10:54 TemptorSent: Try to determine what the means of CnC is,
because backdoors or reentry ports are common with such tools.
20:11:08 markusN: I'm still convinced of resetting all
accounts
20:11:19 wildintellect: TemptorSent, do you have access to that
machine to poke around?
20:11:31 TemptorSent: No idea, and I'd rather not try.
20:12:03 markusN: (and I'm in Germany with totally crappy
mobile connection... on and off)
20:12:05 TemptorSent: It's asking for a compromise of passwords.
20:12:26 markusN: mhh
20:12:27 TemptorSent: Anyone logging in with a password should
subsequently reset their passwords.
20:12:45 wildintellect: ya that's part of the greater need to move
to key based
20:12:57 TemptorSent: Trojaning SSH is a time-honored
tradition.,
20:13:01 wildintellect: Martin will have a way to key based login
as root
20:13:06 wildintellect: I believe I have that too
20:13:10 robe2: TemptorSent didn't see any jobs running under
geotools account
20:13:14 wildintellect: so I could add more keys
20:13:15 robe2: that was first thing I checked
20:13:47 TemptorSent: depending on how good the hackere/kit,
they may be cloaked as 'nobody' even.
20:14:18 TemptorSent: A good trick is to pick the name of a
running process, clone it, and restart yourself periodically.
20:14:49 robe2: wildintellect you know if Martin has used up his
contract yet?
20:14:59 TemptorSent: To be honest, I wouldn't trust much of
anything without having proper logs and and audit list to check against.
20:15:01 robe2: or can we assign him to look into this issue
further
20:15:02 wildintellect: no idea, strk was overseeing that
20:15:20 robe2: and strk appears to be asleep 
20:15:57 robe2: as I recall I think we asked Martin in last
meeting and he said he still had time but got tied up with other
emergencies in past 2 weeks or so
20:16:09 robe2: he was going to start putting in more time this
coming week.
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2162>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.