FÜR NUTZER

Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche

Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Alle: -
Offen: -
Letzte Anfrage: -

Rufen Sie uns an

+7 (495) 789-45-86

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY

Dr.Web vxCube

Sign in to Dr.Web vxCube

Analyse von virenabhängigen Vorfällen

Virenbibliothek

Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

Mythen über Virenschutzsoftware

Linux.Siggen.4075

Added to the Dr.Web virus database: 2021-07-30

Virus description added: 2021-07-30

Technical Information

Malicious functions:

Launches processes:

chmod +x /bin/chattr
chmod +x /usr/bin/chattr
chattr -iae /tmp/iptableupdate.sh
/bin/sh -c chmod +x /tmp/iptableupdate.sh > /dev/null 2>&1
chmod +x /tmp/iptableupdate.sh
chmod 777 /tmp/iptableupdate.sh
/bin/sh -c nohup /tmp/iptableupdate.sh > /dev/null 2>&1 &
chattr -iae /etc/iptablesupdate
nohup /tmp/iptableupdate.sh
/tmp/iptableupdate.sh
/bin/sh /tmp/iptableupdate.sh
chattr -iae /tmp/iptablesupdate
ps -ef
grep -w iptableupdate.sh
grep -v grep
wc -l
/bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate > /dev/null 2>&1
cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
/bin/sh -c \cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate > /dev/null 2>&1
cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate
grep iptablesupdate
chattr +ia /tmp/iptableupdate.sh
chattr +ia /etc/iptablesupdate
chattr +ia /tmp/iptablesupdate
chattr -iae /bin/dockerlogger
chattr -iae /usr/bin/dockerlogger
chmod +x /bin/dockerlogger
chattr -ia /tmp/iptablesupdate
chmod +x /usr/bin/dockerlogger
/bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
chmod +x /tmp/iptablesupdate
sleep 5
/tmp/iptablesupdate
/bin/sh -c \cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger
cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger

Performs operations with the file system:

Modifies file access rights:

/usr/bin/chattr
/tmp/iptableupdate.sh
/tmp/iptablesupdate

Creates folders:

/tmp/.abchello
/root/data-dir-231730289

Creates or modifies files:

/tmp/iptableupdate.sh
/etc/iptablesupdate
/tmp/iptablesupdate
/usr/bin/dockerlogger
/root/data-dir-231730289/torrc-119283996
/root/data-dir-231730289/control-port-372753867

Deletes files:

/tmp/iptableupdate.sh
/root/data-dir-231730289

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>
18#.##9.111.133:9
18#.##9.108.133:9
18#.##9.109.133:9
18#.##9.110.133:9
18#.##9.111.133:443

HTTP POST requests:

10#.###.#03.16:26800/api/postip

DNS ASK:

xv###hded.tk
xv###hded.com
xv####ded.pages.dev
ra#.####ubusercontent.com

Sends data to the following servers:

18#.##9.111.133:443

Receives data from the following servers:

18#.##9.111.133:443

Other:

Collects CPU information

Collects RAM information

Collects information about network activity

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number