Goal of this article: Use a current spreading Unix/Linux exploit as a good example to show simplistic Nagios and Check_MK local checks.
Windigo is a trojan sitting on many, mostly CentOS based, Linux servers. It is said to come in via stolen passwords only but has gone undetected for a pretty long time. It's sibling, or daddy, Ebury is somehow linked to it?
1. Nagios Check
Here I'll show how to make a local nagios check that uses one known way (based on the one in the Arstechnica article) to detect this slimy monster in your server.
- Add alert for 777 mode SHM segments from fresh Ebury attacks
- Dig out file of the library ebury infected (keylib?)
- Show max() function for alert collection
2. Check_MK local Check
Check back soon - the Check_MK local Check is coming
3. Hybrid check
Probably I'll also throw in a hybrid version for both Check_MK and plain shitty Nagios in the same script :)
Further info on the exploit(s):
See "the internets" for more detailed info on Ebury. It has been discussed i.e. on WebhostingTalk.com since I think back to 2012. About more recent related Windigo see http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits/