Linux.Siggen.2294
Added to the Dr.Web virus database:
2019-10-31
Virus description added:
2019-10-31
Technical Information
Malicious functions:
Substitutes application name for:
Modifies firewall settings:
- iptables -I INPUT -p tcp --destination-port 22 -j DROP
- iptables -I INPUT -p tcp --destination-port 23 -j DROP
- iptables -I INPUT -p tcp --destination-port 2323 -j DROP
- iptables -I OUTPUT -p tcp --source-port 22 -j DROP
- iptables -I OUTPUT -p tcp --source-port 23 -j DROP
- iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
- iptables -I INPUT -p udp --destination-port 63812 -j ACCEPT
- iptables -I OUTPUT -p udp --source-port 63812 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --destination-port 63812 -j ACCEPT
- iptables -I POSTROUTING -t nat -p udp --source-port 63812 -j ACCEPT
- iptables -I INPUT -p tcp --destination-port 54455 -j ACCEPT
- iptables -I PREROUTING -t nat -p tcp --destination-port 54455 -j ACCEPT
- iptables -I POSTROUTING -t nat -p tcp --source-port 54455 -j ACCEPT
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c iptables -I INPUT -p tcp --destination-port 22 -j DROP
- sh -c iptables -I INPUT -p tcp --destination-port 23 -j DROP
- sh -c iptables -I INPUT -p tcp --destination-port 2323 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 22 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 23 -j DROP
- sh -c iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
- sh -c iptables -I INPUT -p udp --destination-port 63812 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --source-port 63812 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --destination-port 63812 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p udp --source-port 63812 -j ACCEPT
- sh -c iptables -I INPUT -p tcp --destination-port 54455 -j ACCEPT
- sh -c iptables -I OUTPUT -p tcp --source-port 54455 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p tcp --destination-port 54455 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p tcp --source-port 54455 -j ACCEPT
Performs operations with the file system:
Creates or modifies files:
- /proc/self/oom_score_adj
- /proc/705/oom_score_adj
- /proc/sys/vm/drop_caches
- /root/config
- /config
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:14737
- 0.0.0.0:63812
- 0.0.0.0:54455
Establishes connection:
DNS ASK:
- dh#.###nsmissionbt.com
- ro####.bittorrent.com
- ro####.utorrent.com
- bt#####er.debian.org
Sends data to the following servers:
- 87.##.162.88:6881
- 21#.##9.33.59:6881
- 67.###.246.10:6881
- 82.###.103.244:6881
- 13#.##9.18.159:6881
- 50.#.#7.12:51413
- 19#.###.249.218:13131
- 21#.##6.79.205:7135
- 20#.#.114.116:59840
- 17#.##4.189.96:6881
- 10#.###.177.69:50321
- 83.###.191.131:6881
- 81.##.116.110:6881
- 94.###.87.187:38321
- 5.###.108.149:6881
- 62.###.139.196:55111
- 11#.###.61.172:16001
- 96.##.219.131:1434
- 10#.##3.181.1:40945
- 78.###.51.42:61143
- 77.##.2.36:7425
- 82.##.80.165:6882
- 17#.##3.48.84:62298
- 76.###.27.227:21275
- 10#.##.133.113:57609
- 46.##.179.97:4459
- 91.###.156.19:63055
- 91.###.221.187:51413
- 17#.##2.205.4:6908
- 98.###.172.176:51413
- 18#.###.108.62:24874
- 73.###.116.248:35650
- 15#.##.216.209:1235
- 95.###.174.73:63141
- 46.###.13.230:1274
- 14#.###.158.56:51413
- 11#.##.223.223:6889
- 5.##.#26.241:49197
- 10#.##.183.149:4676
- 12#.##.239.143:6881
- 93.###.200.200:51413
- 37.##.41.6:51413
- 77.##.180.163:51413
- 62.###.62.182:555
- 1.###.148.100:7480
- 91.###.121.216:6881
- 18#.##.190.131:27049
- 92.###.219.26:53001
- 14#.##7.79.86:16043
- 71.###.81.140:52411
- 16#.##2.89.234:6881
- 21#.###.19.188:28577
- 90.###.173.240:64692
- 17#.###.128.58:51413
- 5.###.183.129:46942
- 2.###.8.37:61259
- 94.##.46.53:27862
- 95.##.51.237:43768
- 10#.##3.91.93:47800
- 11#.##7.76.162:6889
- 79.###.73.100:44434
- 94.###.121.144:39916
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細