マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.3808

Added to the Dr.Web virus database: 2021-03-23

Virus description added:

Technical Information

Malicious functions:
Manages services:
  • systemctl start opendkim
  • systemctl enable opendkim
  • systemctl restart postfix
  • systemctl start named
  • systemctl enable named
  • systemctl restart mysqld
  • systemctl enable mysqld
  • systemctl restart httpd
  • systemctl enable httpd
  • systemctl stop sendmail
  • systemctl disable sendmail
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • rm -rf /root/install.sh
  • mkdir -p /root/mailamigos-scripts/backup-local/.Originais
  • ip a
  • grep inet
  • cut -f1 -d/
  • awk {print $2}
  • grep -v ^127.[0-9]
  • grep -v ^10.[0-9]
  • grep -v ^172.16.[0-9]
  • grep -v ^192.168.[0-9]
  • cat /root/mailamigos-scripts/ips.info
  • head -1 /root/mailamigos-scripts/ips.info
  • wc -l
  • rm -rf /etc/localtime
  • ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
  • md5sum
  • date
  • cut -c -12
  • base64
  • useradd
  • chpasswd
  • mkdir /home//websites
  • chmod 755 /home// -R
  • chown : /home// -R
  • useradd return -s /sbin/nologin
  • nscd -i passwd
  • nscd -i group
  • useradd admin
  • useradd fbl
  • useradd abuse
  • useradd reply
  • useradd postmaster
  • mv /etc/named.conf /etc/named.conf-bkp
  • date +%Y%m%d%H%M%S
  • cut -f1-3 -d.
  • sort /tmp/ips.info
  • uniq
  • sed -i s/^/ip4:/ /tmp/spfconfig.info
  • sed -i s/$/.0\/24 / /tmp/spfconfig.info
  • sed -i :a;$!N;s/\n//;ta; /tmp/spfconfig.info
  • cat /tmp/spfconfig.info
  • mv /etc/opendkim/keys/default.private /tmp/dkim-default
  • cat /etc/opendkim/keys/default.txt
  • mv .db /var/named/.db
  • chown root:named /var/named/.db
  • mv /etc/opendkim.conf /etc/opendkim.conf.orig
  • cat
  • sleep 0.5
  • mv /etc/my.cnf /etc/my.cnf-bkp
  • mv /mailamigos/repositories/*.sql /root/mailamigos-scripts/backup-local/.Originais/
  • mv /etc/php.ini /etc/php.ini-bkp
  • mv /mailamigos/repositories/ioncube_loader_lin_5.6.so /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
  • chmod 777 /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
  • mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-bkp
  • rm -rf /var/www/html
  • mkdir /var/www/mailer
  • unzip -q /mailamigos/repositories/mumara.zip -d /var/www/mailer
  • mv /mailamigos/repositories/mumara.zip /root/mailamigos-scripts/backup-local/.Originais/mumara.zip
  • sed -i 177d /etc/squirrelmail/config.php
  • sed -i 1
  • mv /etc/httpd/conf.d/phpMyAdmin.conf /etc/httpd/conf.d/phpMyAdmin.conf-bkp
  • chown apache:apache /var/www/ -R
  • mv /etc/postfix/main.cf /etc/postfix/main.cf-bkp
  • mv /etc/postfix/master.cf /etc/postfix/master.cf-bkp
  • mv /etc/sysctl.conf /etc/sysctl.conf-bkp
Performs operations with the file system:
Modifies file access rights:
  • /home
  • /home/websites
  • /home/user
  • /home/user/.bashrc
  • /home/user/.bash_logout
  • /home/user/.profile
  • /etc/passwd+
  • /etc/shadow+
  • /etc/group+
  • /etc/gshadow+
  • /etc/subuid+
  • /etc/subgid+
  • /etc/nshadow
  • /tmp/sedg702yS
  • /tmp/sedt3Jko1
  • /tmp/sedAEVOtd
Creates folders:
  • /root/mailamigos-scripts
  • /root/mailamigos-scripts/backup-local
  • /root/mailamigos-scripts/backup-local/.Originais
  • /home/websites
Creates symlinks:
  • /etc/localtime
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/shadow.lock
Creates or modifies files:
  • /root/mailamigos-scripts/ips.info
  • /etc/resolv.conf
  • /etc/sysconfig/clock
  • /root/mailamigos-scripts/licenseemail.info
  • /root/mailamigos-scripts/domain.info
  • /proc/sys/kernel/hostname
  • /root/mailamigos-scripts/reversedns.info
  • /root/mailamigos-scripts/sqlpass.info
  • /root/mailamigos-scripts/adminemail.info
  • /root/mailamigos-scripts/sendinguser.info
  • /root/mailamigos-scripts/sendinguserpass.info
  • /etc/.pwd.lock
  • /etc/passwd.745
  • /etc/group.745
  • /etc/gshadow.745
  • /etc/subuid.745
  • /etc/subgid.745
  • /etc/shadow.745
  • /var/log/faillog
  • /var/log/lastlog
  • /etc/passwd-
  • /etc/passwd+
  • /etc/shadow-
  • /etc/shadow+
  • /etc/group-
  • /etc/group+
  • /etc/gshadow-
  • /etc/gshadow+
  • /etc/subuid-
  • /etc/subuid+
  • /etc/subgid-
  • /etc/subgid+
  • /etc/nshadow
  • /etc/passwd.753
  • /etc/group.753
  • /etc/gshadow.753
  • /etc/subuid.753
  • /etc/subgid.753
  • /etc/shadow.753
  • /etc/passwd.761
  • /etc/group.761
  • /etc/gshadow.761
  • /etc/subuid.761
  • /etc/subgid.761
  • /etc/shadow.761
  • /etc/passwd.769
  • /etc/group.769
  • /etc/gshadow.769
  • /etc/subuid.769
  • /etc/subgid.769
  • /etc/shadow.769
  • /etc/passwd.777
  • /etc/group.777
  • /etc/gshadow.777
  • /etc/subuid.777
  • /etc/subgid.777
  • /etc/shadow.777
  • /etc/passwd.785
  • /etc/group.785
  • /etc/gshadow.785
  • /etc/subuid.785
  • /etc/subgid.785
  • /etc/shadow.785
  • /root/mailamigos-scripts/monitoringemail.info
  • /root/mailamigos-scripts/ipspeed.info
  • /etc/named.conf
  • /root/mailamigos-scripts/backup-local/.db
  • /root/.db
  • /tmp/ips.info
  • /tmp/spfconfig.info
  • /tmp/sedg702yS
  • /tmp/sedt3Jko1
  • /tmp/sedAEVOtd
  • /var/named/chroot/etc/named.rfc1912.zones
  • /etc/opendkim.conf
  • /tmp/sh-thd-198425089
  • /etc/opendkim/KeyTable
  • /etc/opendkim/SigningTable
  • /etc/opendkim/TrustedHosts
  • /etc/my.cnf
  • /etc/php.ini
  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf.d/.conf
  • /var/www/mailer/inc/db.ini.php
  • /var/www/index.html
  • /etc/squirrelmail/config.php
  • /etc/httpd/conf.d/phpMyAdmin.conf
  • /etc/dovecot/dovecot.conf
  • /etc/dovecot/conf.d/10-mail.conf
  • /etc/dovecot/conf.d/20-pop3.conf
  • /etc/dovecot/conf.d/10-master.conf
  • /etc/dovecot/conf.d/10-auth.conf
  • /etc/postfix/main.cf
  • /etc/postfix/master.cf
  • /etc/sysctl.conf
Deletes files:
  • /root/install.sh
  • /etc/localtime
  • /etc/passwd.745
  • /etc/group.745
  • /etc/gshadow.745
  • /etc/subuid.745
  • /etc/subgid.745
  • /etc/shadow.745
  • /etc/shadow.lock
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/passwd.753
  • /etc/group.753
  • /etc/gshadow.753
  • /etc/subuid.753
  • /etc/subgid.753
  • /etc/shadow.753
  • /etc/passwd.761
  • /etc/group.761
  • /etc/gshadow.761
  • /etc/subuid.761
  • /etc/subgid.761
  • /etc/shadow.761
  • /etc/passwd.769
  • /etc/group.769
  • /etc/gshadow.769
  • /etc/subuid.769
  • /etc/subgid.769
  • /etc/shadow.769
  • /etc/passwd.777
  • /etc/group.777
  • /etc/gshadow.777
  • /etc/subuid.777
  • /etc/subgid.777
  • /etc/shadow.777
  • /etc/passwd.785
  • /etc/group.785
  • /etc/gshadow.785
  • /etc/subuid.785
  • /etc/subgid.785
  • /etc/shadow.785
  • /tmp/sh-thd-198425089
  • /var/www/html
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number