cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AtulHon
Level 9
Report Inappropriate Content
Message 1 of 4
‎01-01-2019 07:32 PM

Malware events triggering frequently on CentOS

Hello Community members

 

We have been seeing a lot of events on one of the Linux host and they all have same details are successfully handled. This is an Artimis detection. I assume curl is trying to execute some commands  however, I'm not sure how to troubleshoot this scenario and get to the root cause of it. As per Virutotal Information, this appears to be crypto Mining related attempt. 

Please advise how can we investigate

- What curl is trying to execute

- Where these jobs are scheduled to run and what are they

Malware.JPG

Labels (3)
0 Kudos
Reply
3 Replies
patrakshar
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎01-01-2019 08:41 PM

Re: Malware events triggering frequently on CentOS

The drive from where you are seeing this detection, is it shared with other users?

Once we have deleted the file from the location, and again it is coming back that means there is some other process creating it. If not locally then remotely.

If your Artemis Level for OAS is set as Medium, then trigger an ODS (preferably offline) on that Linux box with same Artemis Level.

Once the ODS is complete, check if you are still seeing the detection from OAS.

Curl is shared library here so there is definitely some other application which is using it to trigger these events.

0 Kudos
Reply
AtulHon
Level 9
Report Inappropriate Content
Message 3 of 4
‎01-01-2019 08:55 PM

Re: Malware events triggering frequently on CentOS

Thanks patrakshar

Not sure if its been shared with others
I have validated in SIEM if there are any connections to this server from outside or not however, couldn't find any suspicious connections. They are getting detected \ deleted and there are no pending deletion malware events so would scanning the server offline be still helpful ? These are generating almost every min.

So I was looking for some guidance on how to check curl execution history and some commands which will be helpful to see process is creating it.
0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎01-01-2019 09:28 PM

Re: Malware events triggering frequently on CentOS

Suggestion of offline scanning given considering that the machine is shared with others. If that is not the case then you can directly trigger the ODS.

From the logging side we can only capture what is written within the logs. So if you can share the logs from   opt/isec/ens/threatprevention/var/ location we can check more details.

 

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC