Hacked with Billgates Bot


(Sentinel) #1

We have tons of PBX’s hosted in the cloud. Never had an issue. This system is locked down by IP with very strong passwords, but yet today we got the Billgates bot

BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.

I have been told they need root access to even install this. Anyone know how this happens? We removed everything and had no issues but want to prevent this obviously


#2

You will need to provide some supportive evidence of why/how you think a several year old vector suddenly “got you” through your firewall.


(Tom Ray) #3

Based on what I recall the BillGates malware is a good old fashion brute force attack on SSH. Is the SSH access locked down to the outside world?


(Sentinel) #4

yes it’s locked down by IP thats why I’m lost. We had all the files mentioned in my link which is how we knew and the gui was down because apache wouldn’t start, etc. We had it.


(Lorne Gaetz) #5

SSH login failures and successes are logged in /var/log/secure. If the events have not been rotated away, you might find evidence there, but if you’ve had a root level exploit you can’t fully trust any log on the system.


(Nobby6) #6

“hosted in the cloud” “they need root access to even install”

I bet hosted’s are on VPS’s, possibly a root on the host, they’ve got control over every image.


(Sentinel) #7

it’s in a datacenter where we have tons of PBX’s. no other issues.