Linux.BackDoor.Tsunami.1051

Technical Information

Malicious functions:

Launches itself as a daemon

Launches processes:

sh -c pkill -9 902i13 || busybox pkill -9 902i13
pkill -9 902i13
busybox pkill -9 902i13
sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY
pkill -9 BzSxLxBxeY
busybox pkill -9 BzSxLxBxeY
sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7
pkill -9 HOHO-LUGO7
busybox pkill -9 HOHO-LUGO7
sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL
pkill -9 HOHO-U79OL
busybox pkill -9 HOHO-U79OL
sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87
pkill -9 JuYfouyf87
busybox pkill -9 JuYfouyf87
sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd
pkill -9 NiGGeR69xd
busybox pkill -9 NiGGeR69xd
sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X
pkill -9 SO190Ij1X
busybox pkill -9 SO190Ij1X
sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE
pkill -9 LOLKIKEEEDDE
busybox pkill -9 LOLKIKEEEDDE
sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e
pkill -9 ekjheory98e
busybox pkill -9 ekjheory98e
sh -c pkill -9 scansh4 || busybox pkill -9 scansh4
pkill -9 scansh4
busybox pkill -9 scansh4
sh -c pkill -9 MDMA || busybox pkill -9 MDMA
pkill -9 MDMA
busybox pkill -9 MDMA
sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex
pkill -9 fdevalvex
busybox pkill -9 fdevalvex
sh -c pkill -9 scanspc || busybox pkill -9 scanspc
pkill -9 scanspc
busybox pkill -9 scanspc
sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ
pkill -9 MELTEDNINJAREALZ
busybox pkill -9 MELTEDNINJAREALZ
sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids
pkill -9 flexsonskids
busybox pkill -9 flexsonskids
sh -c pkill -9 scanx86 || busybox pkill -9 scanx86
pkill -9 scanx86
busybox pkill -9 scanx86
sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL
pkill -9 MISAKI-U79OL
busybox pkill -9 MISAKI-U79OL
sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe

Network activity:

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

Connects to the following servers over the IRC protocol:

Server: 91.##7.189.21; Command: NICK [TNG|x86_64]O8DYsTgL\nUSER O8DYsTgL localhost localhost :O8DYsTgL\n
Server: 91.##7.189.21; Command: PONG :4066124176\n
Server: 91.##7.189.21; Command: MODE O8DYsTgL -xi\n
Server: 91.##7.189.21; Command: JOIN #Tanagra :picard\n
Server: 91.##7.189.21; Command: WHO O8DYsTgL\n

Other:

Collects CPU information

技术

术语

教育培训

误区

Technical Information

Curing recommendations