Recently, malware infection has been confirmed on some Linux servers being operated by our laboratory.
Server personnel in laboratories operating servers should refer to the following and make every effort to prevent damage.
- NEXT -
1. Request for Cooperation
a. Check your lab server for the following symptoms of malware infection
b. Follow these steps if you identify symptoms of a look-alike infection
2. Symtoms of Malware insfection
a. CPU usage sustained above 99
b. CPU-hogging processes not being identified
c. When checking the etstat command, check for external IP and TCP 90/443/3333 communication connectivity
d. CPU usage returns to normal after unplugging the LAN cable
3. How to Check
No. | Checklist | Command | Comment |
1 | Check connection logs | last -F | Check for access from an IP other than the management terminal (PC) |
2 | Check for unauthorized accounts | cat /etc/passwd | Check for accounts with "UID 0" that were not created by an administrator |
3 | Check network status | netstat -an | Check for unused IP or port |
4 | Check for system file tampering | ls -alct (/bin or /usr/bin folder) | Check for OS defaults that haven't been changed by an administrator but have changed recently |
4. Method of measures
Method | Comment |
Interim measures (If you need to back up your data) | 1. Allow connections only to terminal IPs that are connected by a server firewall (e.g., IPTABLE function), and block all other communications. 2. If infection symptoms are the same as above, server firewall advisory policy (applied in order) a. [Block] Server IP → ANY IP : 80/443/3333 Drop B. [Allow] Permitted IP → Server IP : Port used for connection Allow C. [Block] ANY IP → ANY IP : 80/443/3333 Drop [Block] ANY IP → Server IP : ANY Port Drop * Permitted IPs : Terminals that connect to the server in the lab, and other IPs that need to communicate. |
Recommended action | 1. Rebuild the compromised server 2. Reconstruction sequence: Backup data → Reinstall OS → Apply security settings → Reconfigure server * [Reference] Server Security Settings Guide: https://url.kr/r6yjtk
|
5. Notify : Complete attached file and submit it to 'security@korea.ac.kr'
6. Contact : Information Infra Dept.(02-3290-4196, 4191)