Per il corretto funzionamento del sito, è necessario attivare il supporto di JavaScript nel browser.
Linux.MulDrop.40
Aggiunto al database dei virus Dr.Web:
2019-01-12
La descrizione è stata aggiunta:
2019-01-12
Technical Information
Malicious functions:
Launches processes:
/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
rm -rf shot attack
clear
useradd -N -m -r -p 1234567890 shot
nscd -i passwd
nscd -i group
mkdir /home/shot
apt-get update -y
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
/usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.CGYRZW /tmp/apt.data.9blxbP
Kills the following processes:
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
Performs operations with the file system:
Modifies file access rights:
/home/shot
/home/shot/.bashrc
/home/shot/.bash_logout
/home/shot/.profile
/etc/passwd+
/etc/shadow+
/etc/subuid+
/etc/subgid+
Creates folders:
Creates symlinks:
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/shadow.lock
Creates or modifies files:
/etc/.pwd.lock
/etc/passwd.709
/etc/group.709
/etc/gshadow.709
/etc/subuid.709
/etc/subgid.709
/etc/shadow.709
/var/log/faillog
/var/log/lastlog
/home/shot/.bashrc
/home/shot/.bash_logout
/home/shot/.profile
/etc/passwd-
/etc/passwd+
/etc/shadow-
/etc/shadow+
/etc/subuid-
/etc/subuid+
/etc/subgid-
/etc/subgid+
/var/lib/apt/lists/lock
/var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.CGYRZW
/tmp/apt.data.9blxbP
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
/tmp/fileutl.message.KvRb4w
/tmp/fileutl.message.KvRb4w (deleted)
Deletes files:
/usr/lib/shot
/usr/lib/attack
/etc/passwd.709
/etc/group.709
/etc/gshadow.709
/etc/subuid.709
/etc/subgid.709
/etc/shadow.709
/etc/shadow.lock
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.CGYRZW
/tmp/apt.data.9blxbP
/tmp/fileutl.message.KvRb4w
Network activity:
Establishes connection:
<LOCAL_DNS_SERVER>
21#.##6.149.233:80
[2#########:1:216:35ff:fe7f:6ceb]:80
[2#######8:dc41:100::233]:80
[2#####e42:3a::204]:80
HTTP GET requests:
se######.#####n.org/dists/jessie/updates/InRelease
ft#.##.######.org/debian/dists/jessie/InRelease
ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
se##########.##bian.org/dists/jessie/updates/InRelease
ft#.##.######.org/debian/dists/jessie/Release.gpg
ft#.##.######.org/debian/dists/jessie/Release
DNS ASK:
ft#.##.debian.org
se####ty.debian.org
se#####y-cdn.debian.org
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Scaricate Dr.Web per Android
Gratis per 3 mesi
Tutti i componenti di protezione
Rinnovo versione di prova tramite AppGallery/Google Pay
Continuando a utilizzare questo sito, l'utente acconsente al nostro utilizzo di file Cookie e di altre tecnologie per la raccolta di informazioni statistiche sui visitatori. Per maggiori informazioni
OK