Technical Information
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
- iptables -I INPUT -p tcp --dport 22 -j DROP
- iptables -I INPUT -p tcp --dport 23 -j DROP
- iptables -I OUTPUT -p tcp --sport 22 -j DROP
- iptables -I OUTPUT -p tcp --sport 23 -j DROP
- iptables -I INPUT -p udp --dport 11211 -j ACCEPT
- iptables -I OUTPUT -p udp --sport 11211 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --dport 11211 -j ACCEPT
- iptables -I POSTROUTING -t nat -p udp --sport 11211 -j ACCEPT
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c iptables -I INPUT -p tcp --dport 22 -j DROP
- sh -c iptables -I INPUT -p tcp --dport 23 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 22 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 23 -j DROP
- sh -c iptables -I INPUT -p udp --dport 11211 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --sport 11211 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --dport 11211 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p udp --sport 11211 -j ACCEPT
Performs operations with the file system:
Creates or modifies files:
- /tmp/xrun.pid
- /proc/sys/vm/drop_caches
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:11211
Establishes connection:
- [:##]:11211
- 127.0.0.1:11211
- 8.#.8.8:53
- <LOCAL_DNS_SERVER>
DNS ASK:
- dh#.###nsmissionbt.com
- ro####.bittorrent.com
- ro####.utorrent.com
- bt#####er.debian.org
Sends data to the following servers:
- 21#.##9.33.59:6881
- 87.##.162.88:6881
- 67.###.246.10:6881
- 82.###.103.244:6881
- 13#.##9.18.159:6881
- 10#.##8.6.202:14349
- 77.##.158.6:39532
- 91.##.95.24:51834
- 87.###.11.94:7738
- 82.###.52.222:27931
- 21#.###.207.192:37151
- 94.##.167.109:63029
- 15#.##3.38.127:8114
- 80.##.234.158:24874
- 17#.###.29.111:45752
- 17#.##.198.186:52391
- 85.###.215.212:2804
- 17#.##5.17.117:6881
- 17#.##9.38.17:22222
- 17#.###.186.197:47370
- 78.##.18.225:44822
- 77.###.206.181:6881
- 21#.##.48.250:27386
- 2.##.#91.140:42084
- 84.###.49.25:28541
- 20#.#.66.75:47186
- 5.#.#10.6:42727
- 85.###.109.230:37950
- 20#.###.197.167:24978
- 18#.##.169.98:22729
- 24.###.70.231:6881
- 84.##.72.241:4908
- 14#.###.14.203:61127
- 18#.#.204.104:47715
- 77.##.84.105:13055
- 10#.##3.12.224:6881
- 91.###.59.1:9345
- 10#.##6.67.77:6881
- 19#.##5.170.41:6881
- 5.###.246.120:6882
- 95.##.107.6:58954
- 95.###.178.211:6881
- 18#.###.168.127:6881
- 15#.##0.74.126:6881
- 95.###.145.11:6881
- 12#.###.43.172:31490
- 73.#.#53.188:13646
- 81.##.187.51:51684
- 17#.###.252.154:23130
- 86.###.244.150:6881
- 18#.##3.44.55:19495
- 37.###.151.47:57944
- 61.###.40.101:13422
- 46.###.148.231:49653
- 75.###.56.119:6881
- 81.##.190.21:4952
- 37.##.157.84:64096
- 83.###.146.185:17921
- 17#.##.240.88:1025
- 21#.###.150.109:6881
- 82.##.32.174:6881
- 92.##.188.222:18616
- 10#.###.125.17:54451
- 5.###.199.4:49305
- 54.##.251.216:8104
- 86.###.25.7:6881
- 94.##.145.183:62980
- 62.###.56.146:50759
- 18#.###.120.199:57812
- 91.##.69.217:29943
- 10#.###.148.162:57186
- 37.#.6.65:10606
- 21#.###.35.211:51413
- 18#.##3.54.78:13123
- 37.###.10.63:26508
- 19#.##1.233.8:48319
- 77.##.169.83:54973
- 17#.###.214.239:64855
- 90.###.146.81:12345
- 17#.##5.96.43:8896
- 46.###.201.130:49001
- 5.###.98.222:49001
- 13#.###.246.189:60923
- 10#.##5.3.255:13976
