Linux.Siggen.4161
Added to the Dr.Web virus database:
2021-08-12
Virus description added:
2021-08-12
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/cron.d/phps
- /var/spool/cron/crontabs/root
- /etc/profile.d/php.sh
- /etc/crontab
- /etc/cron.d/phpx
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Modifies firewall settings:
- /etc/init.d/iptables stop
Manages services:
- service iptables stop
- systemctl stop iptables.service
- systemctl restart pwnriglhttps.service
- systemctl enable pwnriglhttps.service
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- chmod 777 <SAMPLE> run.sh stdout.log
- mv x sh
- chattr -i /root/sh
- chattr -i /root/mysql
- chattr -i /etc/.sh
- chattr -i /bin/shh
- chattr -i /sbin/https
- chattr -i /etc/spts
- chattr -i /usr/bin/.funzip
- chattr -i /etc/sphp
- cp -f -- /root/libprocesshider.so /usr/local
- mv /root/libprocesshider.so /usr/local/lib
- chattr -ai /etc/ld.so.preload
- chmod 777 /usr/local/lib/libprocesshider.so
- cp -f -- /root/sh /sbin/https
- chmod +x /sbin/httpss
- chmod +x /etc/cron.d/phps
- crontab -r
- cp -f -- sh .sh
- ./.sh -c
- rm -rf .sh
- chmod +x -- mysql
- ./mysql
- sort -
- crontab -
- uniq -
- cp -f -- /root/sh /bin/shh
- chmod 777 /etc/profile.d/php.sh
- cp -f -- /root/sh /etc/.sh
- cp -f -- /root/sphp /etc/sphp
- chmod 777 /etc/cron.d/phpx
- chmod 777 /etc/sphp
- ./sphp
- cp -f -- /root/sh /usr/bin/.funzip
- mv /root/pwnriglhttps.service /usr/lib/systemd/system
- chmod 777 /usr/lib/systemd/system/pwnriglhttps.service
- cp -f -- /root/sh /etc/spts
- chmod +x /etc/spts
- chmod 777 acpi adduser.conf adjtime aliases alternatives apache2 apt at.deny bash.bashrc bash_completion bash_completion.d bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf calendar console-setup cowpoke.conf cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbus-1 debconf.conf debian_version default deluser.conf devscripts.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg dput.cf drirc emacs email-addresses environment exim4 fonts fstab gai.conf ghostscript groff group group- grub.d gshadow gshadow- gss gtk-2.0 host.conf hostname hosts hosts.allow hosts.deny idmapd.conf init init.d initramfs-tools inputrc insserv insserv.conf insserv.conf.d iproute2 iscsi issue issue.net kbd kernel kernel[rkmodule] [bash][PPID:0x2ae] [bash][PID:0x301] do_filp_open. Filename: \"/bin/chmod\
- python setup.py install
- apt install supervisor -y
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
Creates or modifies files:
- /etc/profile
- /proc/sys/fs/file-max
- /etc/sysctl.conf
- /etc/resolv.conf
- /etc/ld.so.preload
- /sbin/httpss
- /var/spool/cron/mysql
- /root/mysql
- /var/spool/cron/crontabs/tmp.NHgJT5
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.9fnzVy
- /var/cache/apt/archives/lock
Deletes files:
- /var/spool/cron/.sh
- /root/.sh
- /var/cache/apt/pkgcache.bin
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 85.###.112.112:80
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息