Linux.Siggen.4170
Added to the Dr.Web virus database:
2021-08-14
Virus description added:
2021-08-13
Technical Information
Malicious functions:
Gets access to SSH keys
- /root/.ssh/authorized_keys
Modifies firewall settings:
- iptables -F
- iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 1234 -j ACCEPT
Launches processes:
- cat /proc/cpuinfo
- cat /proc/sys/kernel/hostname
- /bin/sh /tmp/c.sh
- sync
- crontab -r
- rm -rf /var/spool/cron/
- rm -rf /var/spool/cron/crontabs/
- rm -rf /etc/cron.d/*
- chattr -iua /tmp/
- mv /usr/bin/cd1 /usr/bin/curl
- mv /usr/bin/wd1 /usr/bin/wget
- rm -rf /var/log/syslog
- sysctl -w vm.nr_hugepages=128
- chattr -ia /root/.ssh
- chattr -ia /root/.ssh/authorized_keys
- chmod 700 /root/.ssh/
- chmod 777 /root/.ssh/authorized_keys
- chmod 600 /root/.ssh/authorized_keys
Performs operations with the file system:
Creates or modifies files:
- /var/a
- /tmp/c.sh
- /root/dev/null
- /etc/sysconfig/selinux
- /proc/sys/vm/drop_caches
- /proc/sys/kernel/nmi_watchdog
- /etc/sysctl.conf
- /proc/sys/vm/nr_hugepages
Deletes files:
- /var/spool/cron/.SEQ
- /var/spool/cron/crontabs/
- /etc/cron.d/*
- /var/log/syslog
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息