Linux.Mirai.857

Technical Information

Malicious functions:

Removes itself

Launches itself as a daemon

Substitutes application name for:

puo24wfi3nwhptfsauf86kv1jm2j

Launches processes:

sh -c rm -r /var/log
rm -r /var/log

Performs operations with the file system:

Deletes files:

/btmp
/term.log
/history.log
/kern.log
/fontconfig.log
/dmesg
/alternatives.log
/dpkg.log
/faillog
/checkfs
/checkroot
/daemon.log
/wtmp
/syslog
/messages
/debug
/lastlog
/hardware-summary
/partman
/lsb-release
/status
/questions.dat
/templates.dat
/auth.log
/mainlog

Network activity:

Awaits incoming connections on ports:

127.0.0.1:48099
0.0.0.0:23

Establishes connection:

8.#.8.8:53
<LOCAL_DNS_SERVER>
10#.##5.77.113:8081
10#.###.77.113:10000
10#.##5.77.113:8080
10#.##5.77.113:88
10#.##5.77.113:8090
10#.##5.77.113:1080
10#.##5.77.113:81
10#.##5.77.113:3000
10#.##5.77.113:8001
10#.##5.77.113:84
10#.##5.77.113:80
10#.##5.77.113:8060
10#.##5.77.113:3749
36.##.177.3:81
36.##.177.3:8080
36.##.177.3:8081
36.##.177.3:88
36.##.177.3:8001
36.##.177.3:82
36.##.177.3:10000
36.##.177.3:8443
36.##.177.3:8880
36.##.177.3:84
36.##.177.3:8060
36.##.177.3:8090
36.##.177.3:3000
10#.##5.77.113:8443
10#.##5.77.113:8880
36.##.177.3:1080
36.##.177.3:83
10#.##5.77.113:83
36.##.177.3:3749
10#.##.233.78:8001
10#.##.233.78:80
85.###.43.75:10000

HTTP GET requests:

27.###.###.#########.#hp?mac=52-54-00-12-34-56&type=all&port=80&ver=1.07&act=finish
85.###.43.75:8880/
85.###.43.75:10000/
85.###.##.###8880/system.ini?loginuse&loginpas
85.###.##.###10000/system.ini?loginuse&loginpas
85.###.##.##############e_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
85.###.##.##############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
36.##.177.3/
85.###.##.####880/board.cgi?cmd=cat%20/etc/passwd
85.###.##.####0000/board.cgi?cmd=cat%20/etc/passwd
85.###.##.#############.######xt_file=netgear.cfg&todo=syscmd&curpath=/&currentsetting.htm=1&cmd=echo+dgn+123456
10#.##.233.78:8001/
85.###.##.##############.#####ext_file=netgear.cfg&todo=syscmd&curpath=/&currentsetting.htm=1&cmd=echo+dgn+123456
85.###.##.###########-bin/user/Config.cgi?.cab&action=get&category=Account.*
85.###.##.###########i-bin/user/Config.cgi?.cab&action=get&category=Account.*
85.###.##.######0/shell?echo+jaws+123456;cat+/proc/cpuinfo
85.###.##.######00/shell?echo+jaws+123456;cat+/proc/cpuinfo
10#.##.233.78:8080/
10#.##.###.##:8080/system.ini?loginuse&loginpas
10#.##.###.#############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
36.##.###.##system.ini?loginuse&loginpas
10#.##.###.###8080/board.cgi?cmd=cat%20/etc/passwd

HTTP POST requests:

85.###.##.75:8880/command.php
85.###.##.75:10000/command.php
85.###.##.75:8880/hedwig.cgi
85.###.##.75:10000/hedwig.cgi
85.###.#3.75:8880/apply.cgi
85.###.##.75:10000/apply.cgi
10#.##.##3.78:8001/command.php
36.##.#77.3/command.php
10#.##.##3.78:8080/command.php

DNS ASK:

we####qweiur.com
e.##852.com

Sends data to the following servers:

21#.##5.58.226:80
21#.##5.58.226:81
21#.##5.58.226:8080
21#.##5.58.226:8081
21#.##5.58.226:88
21#.##5.58.226:8001
21#.##5.58.226:1080
21#.##5.58.226:82
21#.###.58.226:10000
21#.##5.58.226:8443
21#.##5.58.226:8880
21#.##5.58.226:83
21#.##5.58.226:84
21#.##5.58.226:8060
21#.##5.58.226:8090
21#.##5.58.226:3000
21#.##5.58.226:3749
85.##9.43.75:80
85.##9.43.75:81
85.###.43.75:8080
85.###.43.75:8081
85.##9.43.75:88
85.###.43.75:8001
85.###.43.75:1080
85.##9.43.75:82
85.###.43.75:8443
85.##9.43.75:83
85.##9.43.75:84
85.###.43.75:8060
85.###.43.75:8090
85.###.43.75:3000
85.###.43.75:3749
21#.##5.228.42:80
21#.##5.228.42:81
21#.##5.228.42:8080
21#.##5.228.42:8081
21#.##5.228.42:88
21#.##5.228.42:8001
21#.##5.228.42:1080
21#.##5.228.42:82
21#.###.228.42:10000
21#.##5.228.42:8443
21#.##5.228.42:8880
21#.##5.228.42:83
21#.##5.228.42:84
21#.##5.228.42:8060
21#.##5.228.42:8090
21#.##5.228.42:3000
21#.##5.228.42:3749
21#.##6.0.186:80
21#.##6.0.186:81
21#.##6.0.186:8080
21#.##6.0.186:8081
21#.##6.0.186:88
21#.##6.0.186:8001
21#.##6.0.186:1080
21#.##6.0.186:82
21#.##6.0.186:10000
21#.##6.0.186:8443
21#.##6.0.186:8880
21#.##6.0.186:83
21#.##6.0.186:84
21#.##6.0.186:8060
21#.##6.0.186:8090
21#.##6.0.186:3000
21#.##6.0.186:3749
10#.##.233.78:80
10#.##.233.78:81
10#.##.233.78:8081
10#.##.233.78:88
10#.##.233.78:1080
10#.##.233.78:82
10#.##.233.78:10000
10#.##.233.78:8443
10#.##.233.78:8880
10#.##.233.78:83
10#.##.233.78:84
10#.##.233.78:8060
10#.##.233.78:8090
10#.##.233.78:3000
10#.##.233.78:3749
10#.##5.77.113:80
10#.##5.77.113:81
10#.##5.77.113:8080
10#.##5.77.113:8081
10#.##5.77.113:88
10#.##5.77.113:8001
10#.##5.77.113:1080
10#.##5.77.113:82
10#.###.77.113:10000
10#.##5.77.113:8443
10#.##5.77.113:8880
10#.##5.77.113:83
10#.##5.77.113:84
10#.##5.77.113:8060
10#.##5.77.113:8090
10#.##5.77.113:3000
10#.##5.77.113:3749
11#.##.254.40:80
11#.##.254.40:81
11#.##.254.40:8080
11#.##.254.40:8081
11#.##.254.40:88
11#.##.254.40:8001
11#.##.254.40:1080
11#.##.254.40:82
11#.##.254.40:10000
11#.##.254.40:8443
11#.##.254.40:8880
11#.##.254.40:83
11#.##.254.40:84
11#.##.254.40:8060
11#.##.254.40:8090
11#.##.254.40:3000
11#.##.254.40:3749
20#.##2.171.137:80
20#.##2.171.137:81
20#.###.171.137:8080
20#.###.171.137:8081
20#.##2.171.137:88
20#.###.171.137:8001
20#.###.171.137:1080
20#.##2.171.137:82
20#.###.171.137:10000
20#.###.171.137:8443
20#.###.171.137:8880
20#.##2.171.137:83
20#.##2.171.137:84
20#.###.171.137:8060
20#.###.171.137:8090
20#.###.171.137:3000
20#.###.171.137:3749
36.##.177.3:81
36.##.177.3:8080
36.##.177.3:8081
36.##.177.3:88
36.##.177.3:8001
36.##.177.3:1080
36.##.177.3:82
36.##.177.3:10000
36.##.177.3:8443
36.##.177.3:8880
36.##.177.3:83
36.##.177.3:84
36.##.177.3:8060
36.##.177.3:8090
36.##.177.3:3000
36.##.177.3:3749
10#.##.233.78:8001
36.##.177.3:80
10#.##.233.78:8080

技术

术语

教育培训

误区

Technical Information

Curing recommendations