Hacked with Billgates Bot

We have tons of PBX’s hosted in the cloud. Never had an issue. This system is locked down by IP with very strong passwords, but yet today we got the Billgates bot

BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.

I have been told they need root access to even install this. Anyone know how this happens? We removed everything and had no issues but want to prevent this obviously

You will need to provide some supportive evidence of why/how you think a several year old vector suddenly “got you” through your firewall.

Based on what I recall the BillGates malware is a good old fashion brute force attack on SSH. Is the SSH access locked down to the outside world?

yes it’s locked down by IP thats why I’m lost. We had all the files mentioned in my link which is how we knew and the gui was down because apache wouldn’t start, etc. We had it.

SSH login failures and successes are logged in /var/log/secure. If the events have not been rotated away, you might find evidence there, but if you’ve had a root level exploit you can’t fully trust any log on the system.

1 Like

“hosted in the cloud” “they need root access to even install”

I bet hosted’s are on VPS’s, possibly a root on the host, they’ve got control over every image.

1 Like

it’s in a datacenter where we have tons of PBX’s. no other issues.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.