Linux.Siggen.1546

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/init.d/netdns
/etc/init.d/.depend.boot
/etc/init.d/.depend.start
/etc/init.d/.depend.stop

Creates or modifies the following symlinks:

/etc/rc0.d/K01netdns
/etc/rc1.d/K01netdns
/etc/rc2.d/S01netdns
/etc/rc3.d/S01netdns
/etc/rc4.d/S01netdns
/etc/rc5.d/S01netdns
/etc/rc6.d/K01netdns

Malicious functions:

Launches itself as a daemon

Manages services:

systemctl enable netdns
/usr/sbin/update-rc.d netdns defaults
systemctl daemon-reload

Launches processes:

<SAMPLE_FULL_PATH> [kerberods]
/bin/bash -c chattr -i /usr/lib/systemd/system/netdns.service
chattr -i /usr/lib/systemd/system/netdns.service
/bin/bash -c chkconfig --add netdns
/bin/bash -c systemctl enable netdns
/sbin/insserv netdns

Performs operations with the file system:

Creates or modifies files:

/tmp/.X11unix
/usr/sbin/kerberods
/usr/lib/systemd/system/netdns.service

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>
17#.#8.123.25:9
[2########::f03c:91ff:fe70:2b9d]:9
19#.##8.200.99:6379
19#.##8.200.0:6379
<LOCAL_GATE>:6379
19#.##8.200.2:6379
19#.##8.200.3:6379
19#.##8.200.4:6379
19#.##8.200.5:6379
19#.##8.200.6:6379
19#.##8.200.7:6379
19#.##8.200.8:6379
19#.##8.200.9:6379
<LOCAL_GATE>0:6379
<LOCAL_GATE>1:6379
<LOCAL_GATE>2:6379
<LOCAL_GATE>3:6379
<LOCAL_GATE>4:6379
<LOCAL_GATE>5:6379
<LOCAL_GATE>6:6379
<LOCAL_GATE>7:6379
<LOCAL_GATE>8:6379
<LOCAL_GATE>9:6379
19#.##8.200.20:6379
19#.##8.200.21:6379
19#.##8.200.22:6379
19#.##8.200.23:6379
19#.##8.200.24:6379
19#.##8.200.25:6379
19#.##8.200.26:6379
19#.##8.200.27:6379
19#.##8.200.28:6379
19#.##8.200.29:6379
19#.##8.200.30:6379
19#.##8.200.31:6379
19#.##8.200.32:6379
19#.##8.200.33:6379
19#.##8.200.34:6379
19#.##8.200.35:6379
19#.##8.200.36:6379
19#.##8.200.37:6379
19#.##8.200.38:6379
19#.##8.200.39:6379
19#.##8.200.40:6379
19#.##8.200.41:6379
19#.##8.200.42:6379
19#.##8.200.43:6379
19#.##8.200.44:6379
19#.##8.200.45:6379
19#.##8.200.46:6379
19#.##8.200.47:6379
19#.##8.200.48:6379
19#.##8.200.49:6379
19#.##8.200.50:6379
19#.##8.200.51:6379
19#.##8.200.52:6379
19#.##8.200.54:6379
19#.##8.200.55:6379
19#.##8.200.56:6379
19#.##8.200.57:6379
19#.##8.200.58:6379
19#.##8.200.59:6379
19#.##8.200.60:6379
19#.##8.200.61:6379
19#.##8.200.62:6379
19#.##8.200.63:6379
19#.##8.200.64:6379
19#.##8.200.65:6379
19#.##8.200.66:6379
19#.##8.200.67:6379
19#.##8.200.68:6379
19#.##8.200.69:6379
19#.##8.200.70:6379
19#.##8.200.71:6379
19#.##8.200.72:6379
19#.##8.200.73:6379
19#.##8.200.74:6379
19#.##8.200.75:6379
19#.##8.200.76:6379
19#.##8.200.77:6379
19#.##8.200.78:6379
19#.##8.200.79:6379
19#.##8.200.80:6379
19#.##8.200.81:6379
19#.##8.200.82:6379
19#.##8.200.83:6379
19#.##8.200.84:6379
19#.##8.200.85:6379
19#.##8.200.86:6379
19#.##8.200.87:6379
19#.##8.200.88:6379
19#.##8.200.89:6379
19#.##8.200.90:6379
19#.##8.200.91:6379
19#.##8.200.92:6379
19#.##8.200.93:6379
19#.##8.200.94:6379
19#.##8.200.95:6379
19#.##8.200.96:6379
19#.##8.200.97:6379
19#.##8.200.98:6379
19#.##8.200.53:6379
<LOCAL_GATE>00:6379
<LOCAL_GATE>03:6379
<LOCAL_GATE>04:6379
<LOCAL_GATE>05:6379
<LOCAL_GATE>06:6379
<LOCAL_GATE>07:6379
<LOCAL_GATE>08:6379
<LOCAL_GATE>09:6379
<LOCAL_GATE>10:6379
<LOCAL_GATE>11:6379
<LOCAL_GATE>12:6379
<LOCAL_GATE>01:6379
<LOCAL_GATE>13:6379
<LOCAL_GATE>14:6379
<LOCAL_GATE>15:6379
<LOCAL_GATE>16:6379
<LOCAL_GATE>17:6379
<LOCAL_GATE>18:6379
<LOCAL_GATE>19:6379
<LOCAL_GATE>20:6379
<LOCAL_GATE>21:6379
<LOCAL_GATE>22:6379
<LOCAL_GATE>23:6379
<LOCAL_GATE>24:6379
<LOCAL_GATE>25:6379
<LOCAL_GATE>26:6379
<LOCAL_GATE>02:6379
<LOCAL_GATE>27:6379
<LOCAL_GATE>28:6379
<LOCAL_GATE>29:6379
<LOCAL_GATE>30:6379
<LOCAL_GATE>31:6379
<LOCAL_GATE>33:6379
<LOCAL_GATE>34:6379
<LOCAL_GATE>35:6379
<LOCAL_GATE>32:6379
<LOCAL_GATE>36:6379
<LOCAL_GATE>37:6379
<LOCAL_GATE>38:6379
<LOCAL_GATE>39:6379
<LOCAL_GATE>40:6379
<LOCAL_GATE>41:6379
<LOCAL_GATE>42:6379
<LOCAL_GATE>43:6379
<LOCAL_GATE>44:6379
<LOCAL_GATE>45:6379
<LOCAL_GATE>46:6379
<LOCAL_GATE>47:6379
<LOCAL_GATE>48:6379
<LOCAL_GATE>49:6379
<LOCAL_GATE>50:6379
<LOCAL_GATE>51:6379
<LOCAL_GATE>52:6379
<LOCAL_GATE>53:6379
<LOCAL_GATE>54:6379
<LOCAL_GATE>55:6379
<LOCAL_GATE>56:6379
<LOCAL_GATE>57:6379
<LOCAL_GATE>58:6379
<LOCAL_GATE>59:6379
<LOCAL_GATE>60:6379
<LOCAL_GATE>61:6379
<LOCAL_GATE>62:6379
<LOCAL_GATE>63:6379
<LOCAL_GATE>64:6379
<LOCAL_GATE>65:6379
<LOCAL_GATE>66:6379
<LOCAL_GATE>67:6379
<LOCAL_GATE>68:6379
<LOCAL_GATE>69:6379
<LOCAL_GATE>70:6379
<LOCAL_GATE>71:6379
<LOCAL_GATE>72:6379
<LOCAL_GATE>73:6379
<LOCAL_GATE>74:6379
<LOCAL_GATE>75:6379
<LOCAL_GATE>76:6379
<LOCAL_GATE>77:6379
<LOCAL_GATE>78:6379
<LOCAL_GATE>79:6379
<LOCAL_GATE>80:6379
<LOCAL_GATE>81:6379
<LOCAL_GATE>82:6379
<LOCAL_GATE>83:6379
<LOCAL_GATE>84:6379
<LOCAL_GATE>85:6379
<LOCAL_GATE>86:6379
<LOCAL_GATE>87:6379
<LOCAL_GATE>88:6379
<LOCAL_GATE>89:6379
<LOCAL_GATE>90:6379
<LOCAL_GATE>91:6379
<LOCAL_GATE>92:6379
<LOCAL_GATE>93:6379
<LOCAL_GATE>94:6379
<LOCAL_GATE>95:6379
<LOCAL_GATE>96:6379
<LOCAL_GATE>97:6379
<LOCAL_GATE>98:6379
<LOCAL_GATE>99:6379
19#.###.200.200:6379
19#.###.200.201:6379
19#.###.200.202:6379
19#.###.200.203:6379
19#.###.200.204:6379
19#.###.200.205:6379
19#.###.200.206:6379
19#.###.200.207:6379
19#.###.200.208:6379
19#.###.200.209:6379
19#.###.200.210:6379
19#.###.200.211:6379
19#.###.200.212:6379
19#.###.200.213:6379
19#.###.200.214:6379
19#.###.200.215:6379
19#.###.200.216:6379
19#.###.200.217:6379
19#.###.200.218:6379
19#.###.200.219:6379
19#.###.200.220:6379
19#.###.200.221:6379
19#.###.200.222:6379
19#.###.200.223:6379
19#.###.200.224:6379
19#.###.200.225:6379
19#.###.200.226:6379
19#.###.200.227:6379
19#.###.200.228:6379
19#.###.200.229:6379
19#.###.200.230:6379
19#.###.200.231:6379
19#.###.200.232:6379
19#.###.200.233:6379
19#.###.200.234:6379
19#.###.200.235:6379
19#.###.200.237:6379
19#.###.200.238:6379
19#.###.200.239:6379
19#.###.200.240:6379
19#.###.200.241:6379
19#.###.200.242:6379
19#.###.200.243:6379
19#.###.200.244:6379
19#.###.200.245:6379
19#.###.200.246:6379
19#.###.200.247:6379
19#.###.200.248:6379
19#.###.200.249:6379
19#.###.200.250:6379
19#.###.200.251:6379
19#.###.200.252:6379
19#.###.200.253:6379
19#.###.200.254:6379
19#.###.200.255:6379
95.##1.0.0:6379
95.##1.0.1:6379
95.##1.0.2:6379
95.##1.0.3:6379
95.###.0.11:6379
95.##1.0.4:6379
95.##1.0.5:6379
95.##1.0.6:6379
95.##1.0.7:6379
95.##1.0.8:6379
95.##1.0.9:6379
95.###.0.10:6379
19#.###.200.236:6379
95.###.0.12:6379
95.###.0.13:6379
95.###.0.14:6379
95.###.0.15:6379
95.###.0.16:6379
95.###.0.17:6379
95.###.0.18:6379
95.###.0.19:6379
95.###.0.20:6379
95.###.0.21:6379
95.###.0.22:6379
95.###.0.23:6379
95.###.0.24:6379
95.###.0.25:6379
95.###.0.26:6379
95.###.0.27:6379
95.###.0.29:6379
95.###.0.30:6379
95.###.0.31:6379
95.###.0.32:6379
95.###.0.33:6379
95.###.0.34:6379
95.###.0.35:6379
95.###.0.36:6379
95.###.0.37:6379
95.###.0.38:6379
95.###.0.39:6379
95.###.0.40:6379
95.###.0.41:6379
95.###.0.42:6379
95.###.0.43:6379
95.###.0.28:6379
95.###.0.44:6379
95.###.0.45:6379
95.###.0.46:6379
95.###.0.47:6379
95.###.0.48:6379
95.###.0.49:6379

HTTP GET requests:

id##t.me/

DNS ASK:

id##t.me

Other:

Collects RAM information

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations