Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.4161

Added to the Dr.Web virus database: 2021-08-12

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/cron.d/phps
  • /var/spool/cron/crontabs/root
  • /etc/profile.d/php.sh
  • /etc/crontab
  • /etc/cron.d/phpx
Malicious functions:
Performs process tracing:
  • <SAMPLE>
  • <SAMPLE_FULL_PATH>
Modifies firewall settings:
  • /etc/init.d/iptables stop
Manages services:
  • service iptables stop
  • systemctl stop iptables.service
  • systemctl restart pwnriglhttps.service
  • systemctl enable pwnriglhttps.service
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • chmod 777 <SAMPLE> run.sh stdout.log
  • mv x sh
  • chattr -i /root/sh
  • chattr -i /root/mysql
  • chattr -i /etc/.sh
  • chattr -i /bin/shh
  • chattr -i /sbin/https
  • chattr -i /etc/spts
  • chattr -i /usr/bin/.funzip
  • chattr -i /etc/sphp
  • cp -f -- /root/libprocesshider.so /usr/local
  • mv /root/libprocesshider.so /usr/local/lib
  • chattr -ai /etc/ld.so.preload
  • chmod 777 /usr/local/lib/libprocesshider.so
  • cp -f -- /root/sh /sbin/https
  • chmod +x /sbin/httpss
  • chmod +x /etc/cron.d/phps
  • crontab -r
  • cp -f -- sh .sh
  • ./.sh -c
  • rm -rf .sh
  • chmod +x -- mysql
  • ./mysql
  • sort -
  • crontab -
  • uniq -
  • cp -f -- /root/sh /bin/shh
  • chmod 777 /etc/profile.d/php.sh
  • cp -f -- /root/sh /etc/.sh
  • cp -f -- /root/sphp /etc/sphp
  • chmod 777 /etc/cron.d/phpx
  • chmod 777 /etc/sphp
  • ./sphp
  • cp -f -- /root/sh /usr/bin/.funzip
  • mv /root/pwnriglhttps.service /usr/lib/systemd/system
  • chmod 777 /usr/lib/systemd/system/pwnriglhttps.service
  • cp -f -- /root/sh /etc/spts
  • chmod +x /etc/spts
  • chmod 777 acpi adduser.conf adjtime aliases alternatives apache2 apt at.deny bash.bashrc bash_completion bash_completion.d bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf calendar console-setup cowpoke.conf cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbus-1 debconf.conf debian_version default deluser.conf devscripts.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg dput.cf drirc emacs email-addresses environment exim4 fonts fstab gai.conf ghostscript groff group group- grub.d gshadow gshadow- gss gtk-2.0 host.conf hostname hosts hosts.allow hosts.deny idmapd.conf init init.d initramfs-tools inputrc insserv insserv.conf insserv.conf.d iproute2 iscsi issue issue.net kbd kernel kernel[rkmodule] [bash][PPID:0x2ae] [bash][PID:0x301] do_filp_open. Filename: \"/bin/chmod\
  • python setup.py install
  • apt install supervisor -y
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
Kills the following processes:
  • <SAMPLE>
  • <SAMPLE_FULL_PATH>
  • /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
  • <SAMPLE_FULL_PATH>
  • /root/run.sh
  • /sbin/httpss
  • /etc/cron.d/phps
  • /root/mysql
  • /var/spool/cron/crontabs/tmp.NHgJT5
  • /etc/profile.d/php.sh
  • /etc/cron.d/phpx
  • /etc/acpi
  • /etc/adduser.conf
  • /etc/adjtime
  • /etc/aliases
  • /etc/alternatives
  • /etc/apache2
  • /etc/apt
  • /etc/at.deny
  • /etc/bash.bashrc
  • /etc/bash_completion
  • /etc/bash_completion.d
  • /etc/bindresvport.blacklist
  • /etc/binfmt.d
  • /etc/ca-certificates
  • /etc/ca-certificates.conf
  • /etc/calendar
  • /etc/console-setup
  • /etc/cowpoke.conf
  • /etc/cron.d
  • /etc/cron.daily
  • /etc/cron.hourly
  • /etc/cron.monthly
  • /etc/crontab
  • /etc/cron.weekly
  • /etc/dbus-1
  • /etc/debconf.conf
  • /etc/debian_version
  • /etc/default
  • /etc/deluser.conf
  • /etc/devscripts.conf
  • /etc/dhcp
  • /etc/dictionaries-common
  • /etc/discover.conf.d
  • /etc/discover-modprobe.conf
  • /etc/dpkg
  • /etc/dput.cf
  • /etc/drirc
  • /etc/emacs
  • /etc/email-addresses
  • /etc/environment
  • /etc/exim4
  • /etc/fonts
  • /etc/fstab
  • /etc/gai.conf
  • /etc/ghostscript
  • /etc/groff
  • /etc/group
  • /etc/group-
  • /etc/grub.d
  • /etc/gshadow
  • /etc/gshadow-
  • /etc/gss
  • /etc/gtk-2.0
  • /etc/host.conf
  • /etc/hostname
  • /etc/hosts
  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/idmapd.conf
  • /etc/init
  • /etc/init.d
  • /etc/initramfs-tools
  • /etc/inputrc
  • /etc/insserv
  • /etc/insserv.conf
  • /etc/insserv.conf.d
  • /etc/iproute2
  • /etc/iscsi
  • /etc/issue
  • /etc/issue.net
  • /etc/kbd
  • /etc/kernel
  • /etc/kernel-img.conf
  • /etc/kernel-img.conf.ucf-dist
  • /etc/kernel-img.conf.ucf-new
  • /etc/kernel-pkg.conf
  • /etc/ldap
  • /etc/ld.so.cache
  • /etc/ld.so.conf
  • /etc/ld.so.conf.d
  • /etc/ld.so.preload
  • /etc/libaudit.conf
  • /etc/libpaper.d
  • /etc/lighttpd
  • /etc/lintianrc
  • /etc/locale.alias
  • /etc/locale.gen
  • /etc/localtime
  • /etc/logcheck
  • /etc/login.defs
  • /etc/logrotate.conf
  • /etc/logrotate.d
  • /etc/machine-id
  • /etc/magic
  • /etc/magic.mime
  • /etc/mailcap
  • /etc/mailcap.order
  • /etc/mailname
  • /etc/mail.rc
  • /etc/manpath.config
  • /etc/mime.types
  • /etc/mke2fs.conf
  • /etc/modprobe.d
  • /etc/modules
  • /etc/modules-load.d
  • /etc/motd
  • /proc/769/mounts
  • /etc/Muttrc
  • /etc/Muttrc.d
  • /etc/nanorc
  • /etc/netconfig
  • /etc/network
  • /etc/networks
  • /etc/newt
  • /etc/nsswitch.conf
  • /etc/opt
  • /usr/lib/os-release
  • /etc/pam.conf
  • /etc/pam.d
  • /etc/papersize
  • /etc/passwd
  • /etc/passwd-
  • /etc/perl
  • /etc/ppp
  • /etc/profile
  • /etc/profile.d
  • /etc/protocols
  • /etc/python
  • /etc/python2.7
  • /etc/python3
  • /etc/python3.4
  • /etc/rc0.d
  • /etc/rc1.d
  • /etc/rc2.d
  • /etc/rc3.d
  • /etc/rc4.d
  • /etc/rc5.d
  • /etc/rc6.d
  • /etc/rc.local
  • /etc/rcS.d
  • /etc/reportbug.conf
  • /etc/request-key.d
  • /etc/resolv.conf
  • /etc/rmt
  • /etc/rpc
  • /etc/rsyslog.conf
  • /etc/rsyslog.d
  • /etc/securetty
  • /etc/security
  • /etc/selinux
  • /etc/services
  • /etc/sgml
  • /etc/shadow
  • /etc/shadow-
  • /etc/shells
  • /etc/skel
  • /etc/ssh
  • /etc/ssl
  • /etc/staff-group-for-usr-local
  • /etc/subgid
  • /etc/subgid-
  • /etc/subuid
  • /etc/subuid-
  • /etc/sysctl.conf
  • /etc/sysctl.d
  • /etc/systemd
  • /etc/terminfo
  • /etc/texmf
  • /etc/timezone
  • /etc/tmpfiles.d
  • /etc/ucf.conf
  • /etc/udev
  • /etc/ufw
  • /etc/updatedb.conf
  • /etc/vim
  • /etc/w3m
  • /etc/wgetrc
  • /etc/X11
  • /etc/xdg
  • /etc/xml
  • /var/cache/apt/pkgcache.bin.9fnzVy
Creates or modifies files:
  • /etc/profile
  • /proc/sys/fs/file-max
  • /etc/sysctl.conf
  • /etc/resolv.conf
  • /etc/ld.so.preload
  • /sbin/httpss
  • /var/spool/cron/mysql
  • /root/mysql
  • /var/spool/cron/crontabs/tmp.NHgJT5
  • /var/lib/dpkg/lock
  • /var/cache/apt/pkgcache.bin.9fnzVy
  • /var/cache/apt/archives/lock
Deletes files:
  • /var/spool/cron/.sh
  • /root/.sh
  • /var/cache/apt/pkgcache.bin
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 85.###.112.112:80
DNS ASK:
  • ft#.##.debian.org
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number