It is now a fact that
Linux is quietly taking over the world as a trusted and easy to use Operating
Systems. Its being used widely both in a Server and a desktop environment. As gaining popularity has its advantages and disadvantages.
When we talk of disadvantages in any OS, it is about any vulnerability that
can be exploited or loop holes that can be hacked. And then we see different
methods to hack these vulnerabilities. The Malwares! Nowadays, the most common malwares attacking the LINUX OS are the Trojans, Bitcoin Miners. They have become
an headache for a Linux system administrator.
When a Trojan / Bitcoin miner attacks a linux system, it starts increasing
the CPU utilization and generates heavy network traffic. The strength of these processes are its capability to regenerate with different names. These
malware initiates entry via network services mostly via any web services
running on the system.
Some common methods used by Malware:
1) creates a cron job in /etc/cron.d/ or /etc/cron.hourly.
Adds an entry in /etc/crontab
2) Starts creating services in /etc/init.d/ and then creates
starting of the services at various system run levels i.e in /etc/rc.*.d
3) Some adds a file in /lib/libudev.so . This is a 32 bit
file also found in a 64 bit machine.
4) Some malware executes behind another binary
5) Some randomly generated binaries found in /bin and
/usr/bin
Mitigation Strategies: In Linux, with great easiness such malwares can be
handled. Commands that can be used to analyse and take necessary actions:
1) When a server utilization is very high without reason,
the first command to use is TOP.
#top -H -c
-H shall display all
individual threads
-c shall display the command line process
Check for the process that uses the highest cpu utilization.
2) Check for any unusual suspected cronjobs in /etc/cron.d/ and or /etc/cron.hourly. Check any entry in /etc/crontab.
3) Any binaries in /bin and
/usr/bin.
4)
Check for any internet network traffic, connecting to any C&C
servers or any other blacklisted
ip's. Check with the below command:
#netstat -tunpl
#lsof -i
This will show files connecting the internet.Lastly but not the least, there could be many other ways to detect and be in action against malwares.
