La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Linux.Siggen.522

Aggiunto al database dei virus Dr.Web: 2018-04-09

La descrizione è stata aggiunta:

Technical Information

Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
  • /root/.ssh/authorized_keys
Launches processes:
  • /usr/bin/getconf CLK_TCK
  • <SAMPLE_FULL_PATH>
  • /usr/bin/lsb_release
  • dpkg-query -f ${Version} ${Provides
  • /sbin/sysctl -n kernel.random.boot_id
  • sh -c uptime
  • sh -c whoami
  • sh -c rm -rf /tmp/ddgs.30*.*
  • sh -c ps auxf
  • uptime
  • whoami
  • rm -rf /tmp/ddgs.30*.*
  • ps auxf
Performs operations with the file system:
Creates folders:
  • /root/.ddg
  • /root/.ssh
Creates or modifies files:
  • /root/.ddg/3010.lock
Deletes files:
  • /tmp/ddgs.30*.*"
Locks files:
  • /root/.ddg/3010.lock
Network activity:
Establishes connection:
  • 10#.##.239.132:8000
  • 10#.##.239.135:8000
  • 10#.###.211.117:8000
  • 11#.##.189.61:8000
  • 11#.##.184.31:8000
  • 11#.##.193.216:8000
  • 11#.##.27.86:8000
  • 11#.##1.1.127:8000
  • 11#.##.210.161:8000
  • 11#.###.104.177:8000
  • 11#.##6.86.91:8000
  • 10#.##.115.153:8000
  • 11#.###.120.193:8000
  • 11#.##5.24.92:8000
  • 11#.##5.129.43:8000
  • 11#.##5.41.12:8000
  • 11#.##5.65.229:8000
  • 11#.##4.20.22:8000
  • 11#.##.135.61:8000
  • 11#.##.30.103:8000
  • 11#.###.152.210:8000
  • 12#.##.222.138:8000
  • 12#.##5.43.145:8000
  • 12#.##.10.132:8000
  • 12#.##.119.134:8000
  • 12#.##.166.232:8000
  • 12#.##.200.177:8000
  • 12#.##5.43.72:8000
  • 12#.##6.197.63:8000
  • 12#.##.240.102:8000
  • 12#.##.12.137:8000
  • 13.###.240.221:8000
  • 14.###.232.55:8000
  • 16#.###.149.151:8000
  • 18#.##2.73.58:8000
  • 19#.##3.62.78:8000
  • 21#.##.12.12:8000
  • 47.##.26.128:8000
  • 47.##.35.111:8000
  • 47.##.39.221:8000
  • 47.##.57.128:8000
  • 19#.###.200.210:2222
  • 19#.###.200.210:22222
Attacks using a special dictionary (brute-force technique) via the SSH protocol
HTTP POST requests:
  • 16#.###.157.157:8000/slave
  • 12#.###.124.52:8000/slave
  • 20#.##.#47.116:8000/slave
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number