Goal of this article: Use a current spreading Unix/Linux exploit as a good example to show simplistic Nagios and Check_MK local checks.

 

Windigo is a trojan sitting on many, mostly CentOS based, Linux servers. It is said to come in via stolen passwords only but has gone undetected for a pretty long time. It's sibling, or daddy, Ebury is somehow linked to it?

 

 

1. Nagios Check

Here I'll show how to make a local nagios check that uses one known way (based on the one in the Arstechnica article) to detect this slimy monster in your server.

Nagios
#!/bin/sh

# An example Nagios check to detect virus infection of Ebury/Windigo Virus patching
# into SSH binary/libs
# Check Source: http://confluence.wartungsfenster.de
# Author: Florian Heigl
 
state=3
ssh -G 2>&1 | egrep '(illegal|unknown)' > /dev/null && state=0 || state=2
 
case $state in
   0) echo "OK - System should be clean" ;;
   2) echo "CRITICAL - System is probably infected - wipe it\!" ;;
   3) echo "UNKNOWN - Could not run check" ;;
   *) echo "UNKNOWN - internal error" ; state = 3 ;; # just in case.
esac
 
exit $state

TODO:

  • Add alert for 777 mode SHM segments from fresh Ebury attacks
  • Dig out file of the library ebury infected (keylib?)
  • Show max() function for alert collection

2. Check_MK local Check

 

Check_MK

 Check back soon - the Check_MK local Check is coming

 

3. Hybrid check

 

Probably I'll also throw in a hybrid version for both Check_MK and plain shitty Nagios in the same script :)

 

Further info on the exploit(s):

See "the internets" for more detailed info on Ebury. It has been discussed i.e. on WebhostingTalk.com since I think back to 2012. About more recent related Windigo see http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits/