Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.Siggen.4064

Added to the Dr.Web virus database: 2021-07-26

Virus description added:

Technical Information

Malicious functions:
Modifies firewall settings:
  • iptables -P INPUT DROP
  • iptables -t filter -N LOG_N_ACCEPT
  • iptables -t filter -A LOG_N_ACCEPT -j LOG --log-level warning --log-prefix ACTION=INPUT-ACCEPT
  • iptables -t filter -A LOG_N_ACCEPT -j ACCEPT
  • iptables -A INPUT -i eno1 -j LOG_N_ACCEPT
  • iptables -A INPUT -m conntrack --ctstate RELATE
  • iptables -A INPUT -p tcp -m tcp --dport 22 -j LOG_N_ACCEPT
  • iptables -A INPUT -p tcp -m tcp --dport http -j LOG_N_ACCEPT
  • iptables -A INPUT -p tcp -m tcp --dport https -j LOG_N_ACCEPT
  • iptables -P FORWARD DROP
  • iptables -A INPUT -j LOG
  • iptables -A INPUT -s 192.168.10.0/24 -j LOG
  • iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
  • iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix ** SUSPECT **
  • iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  • iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  • iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags FI
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags SY
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags AC
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FI
  • iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SY
  • iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  • iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  • iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  • iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  • iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
  • iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  • iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
  • iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  • iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  • iptables -t mangle -A PREROUTING -p icmp -j DROP
  • iptables -t mangle -A PREROUTING -f -j DROP
  • iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  • iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j LOG_N_ACCEPT
  • iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  • iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j LOG_N_ACCEPT
  • iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  • iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
  • iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  • iptables -N port-scanning
  • iptables -A port-scanning -p tcp --tcp-flags SY
  • iptables -A port-scanning -j DROP
  • iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG_N_ACCEPT
  • iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  • iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j LOG_N_ACCEPT
  • iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j LOG_N_ACCEPT
  • iptables -I OUTPUT -m state -p tcp --state NEW ! -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-TCP
  • iptables -I OUTPUT -m state -p udp -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-UDP
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • apt install dnsutils
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • apt-get install net-tools
  • apt-get install tcpdump
  • apt-get install dsniff -y
Kills the following processes:
  • /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
  • /var/cache/apt/pkgcache.bin.qm3h0o
Creates or modifies files:
  • /var/lib/dpkg/lock
  • /var/cache/apt/pkgcache.bin.qm3h0o
  • /var/cache/apt/archives/lock
Deletes files:
  • /var/cache/apt/pkgcache.bin
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
DNS ASK:
  • ft#.##.debian.org
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number