[RESOLVED] Router reboots when I connect this machine

[TrevorH]

You need to watch the network traffic and find out what it is that's going out and then you can work out why it appears and where it comes from. The chances that any "infection" came from any reputable repo is slim to non-existent. Mostly things like this come from insecure web servers or other network related packages that are not properly secured. You'll need to image the system, reinstall it and examine the image in a safe environment while you track down what is doing this. Once you know what that is, then you can find out how it got there.

[sthames42]

Thanks for responding so quickly, Trevor.

I have tried lsof -l which gave me nothing.

I tried nethogs which gave me the pid but it kept changing and any pid listed was for a process that no longer was running. I assume this is from one app generating a one-shot thread for each network access.

tcpdump gave me the target IP address which was one of many in China but nothing more.

Again, while finding the culprit is an interesting intellectual exercise, my real question is how to protect against it? We only use these servers for HTTP/S access. Could something be introducing the malware this way? If in the kernel, how did it get there?

You'll need to image the system, reinstall it and examine the image in a safe environment while you track down what is doing this.

What do you mean by image the system? To me, it means to reinstall the OS. I take it from your quote that's not what it means?

[TrevorH]

By "image the system" I mean: boot from rescue media, preferably readonly, then take an image of your current filesystems using something like dd to an external disk. So if you have a /boot and a single LVM LV then you'd run dd if=/dev/sda1 of=/my/external/disk/boot.img and dd if=/dev/mapper/VolGroup-LogVolXX of=/my/external/disk/root.img so that you have a copy of the contents of the disk as it is now. Once that's done you can reinstall. Now take the external disk to a safe machine and mount it readonly there, take a copy of the original img files and loopback mount those, again readonly and this time noexec. Now you can peruse the content of the infected machine's disk without any malware attempting to hide itself.

We only use these servers for HTTP/S access. Could something be introducing the malware this way?

Yes, absolutely. If you have an insecure webapp or you neglected to patch php/perl/bash against any known exploits (and those are in use on your web server) then those might be used to get access to the system. Often an attacker will get access as a non-root user and then use some local vulnerability to escalate to root.

[sthames42]

Never done that before so it will be an interesting exercise.

If you have an insecure webapp or you neglected to patch php/perl/bash against any known exploits (and those are in use on your web server) then those might be used to get access to the system.

Where would I find information on the patches for known exploits?

[TrevorH]

If you run yum update on a regular basis then yum will install any updates that are pending for you. If you subscribe the CentOS Annouce mailing list then you will be mailed with descriptions of patches as they are released. Subscribe first then you can go in via the web page and edit your preferences so that you are sent only mails relating to the version/architecture that you are interested in.