Technical Information
Malicious functions:
Substitutes application name for:
- sshd
Modifies firewall settings:
- iptables -I INPUT -p tcp --dport 46108 -j ACCEPT
- iptables -I OUTPUT -p tcp --sport 46108 -j ACCEPT
- iptables -I PREROUTING -t nat -p tcp --dport 46108 -j ACCEPT
- iptables -I POSTROUTING -t nat -p tcp --sport 46108 -j ACCEPT
- iptables -I INPUT -p udp --dport 59559 -j ACCEPT
- iptables -I OUTPUT -p udp --sport 59559 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --dport 59559 -j ACCEPT
- iptables -I POSTROUTING -t nat -p udp --sport 59559 -j ACCEPT
- iptables -I INPUT -p tcp --dport 34338 -j ACCEPT
- iptables -I OUTPUT -p tcp --sport 34338 -j ACCEPT
- iptables -I PREROUTING -t nat -p tcp --dport 34338 -j ACCEPT
- iptables -I POSTROUTING -t nat -p tcp --sport 34338 -j ACCEPT
- iptables -I INPUT -p tcp --dport 22 -j DROP
- iptables -I INPUT -p tcp --dport 23 -j DROP
- iptables -I INPUT -p tcp --dport 2323 -j DROP
- iptables -I OUTPUT -p tcp --sport 22 -j DROP
- iptables -I OUTPUT -p tcp --sport 23 -j DROP
- iptables -I OUTPUT -p tcp --sport 2323 -j DROP
- iptables -I INPUT -p udp --dport 10551 -j ACCEPT
- iptables -I OUTPUT -p udp --sport 10551 -j ACCEPT
- iptables -I PREROUTING -t nat -p udp --dport 10551 -j ACCEPT
- iptables -I POSTROUTING -t nat -p udp --sport 10551 -j ACCEPT
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c iptables -I INPUT -p tcp --dport 46108 -j ACCEPT
- sh -c iptables -I OUTPUT -p tcp --sport 46108 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p tcp --dport 46108 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p tcp --sport 46108 -j ACCEPT
- sh -c iptables -I INPUT -p udp --dport 59559 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --sport 59559 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --dport 59559 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p udp --sport 59559 -j ACCEPT
- sh -c iptables -I INPUT -p tcp --dport 34338 -j ACCEPT
- sh -c iptables -I OUTPUT -p tcp --sport 34338 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p tcp --dport 34338 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p tcp --sport 34338 -j ACCEPT
- sh -c iptables -I INPUT -p tcp --dport 22 -j DROP
- sh -c iptables -I INPUT -p tcp --dport 23 -j DROP
- sh -c iptables -I INPUT -p tcp --dport 2323 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 22 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 23 -j DROP
- sh -c iptables -I OUTPUT -p tcp --sport 2323 -j DROP
- sh -c iptables -I INPUT -p udp --dport 10551 -j ACCEPT
- sh -c iptables -I OUTPUT -p udp --sport 10551 -j ACCEPT
- sh -c iptables -I PREROUTING -t nat -p udp --dport 10551 -j ACCEPT
- sh -c iptables -I POSTROUTING -t nat -p udp --sport 10551 -j ACCEPT
- sh -c echo 1
Performs operations with the file system:
Creates or modifies files:
- /proc/self/oom_score_adj
- /proc/541/oom_score_adj
- /proc/sys/vm/drop_caches
- /root/config
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:14737
- 0.0.0.0:46108
- 0.0.0.0:59559
- 0.0.0.0:10551
- 0.0.0.0:34338
Establishes connection:
- [:##]:59559
- 127.0.0.1:59559
- [:##]:10551
- 127.0.0.1:10551
- <LOCAL_DNS_SERVER>
- 8.#.8.8:123
- 19#.##8.1.1:8088
- 19#.#68.3.1:123
- 19#.##8.1.1:1234
- 10#.#4.26.77:80
- 21#.##1.77.73:80
- 66.##.17.78:80
- 90.##.74.38:37215
- 12#.###.180.250:49152
- 31.##.116.224:52869
- 19#.###.209.92:49152
- 91.##.143.99:52869
- 15#.##0.154.137:80
- 35.##.122.76:37215
- 88.###.52.187:81
- 41.###.221.209:80
- 92.###.121.45:81
- 43.###.121.161:8080
- 17#.###.245.236:37215
- 13#.##5.21.144:5555
- 42.###.5.115:7574
- 15#.###.246.173:8080
- 17#.###.34.225:37215
- 14#.###.239.239:52869
- 89.###.134.181:37215
- 3.###.218.84:81
- 21#.###.136.212:7574
- 17#.##.181.63:37215
- 21#.##8.30.53:8080
- 13#.###.173.224:5555
- 13#.###.208.224:52869
- 67.###.164.76:7574
- 49.###.113.92:7574
- 11#.##.100.171:7574
- 86.##.80.81:8080
- 22.###.24.23:8443
- 10#.##6.53.92:80
- 59.##.119.163:52869
- 19#.##.154.117:8443
- <LOCAL_GATE>08:49152
- 2.##.54.41:7574
- 78.###.226.60:7574
- 29.###.34.146:80
- 22#.###.163.25:52869
- 45.###.239.105:80
- 21#.##.243.60:8080
- 20#.##.135.204:5555
- 51.###.97.25:8080
- 14#.##.227.197:80
- 76.##.58.93:80
- 19#.##8.212.36:5555
- 10#.###.76.135:49152
- 31.###.65.151:80
- 84.##.242.254:8080
- 18#.##.253.202:80
- 11#.##.160.51:80
- 16.##.183.69:37215
- 15#.###.179.103:8080
- 74.###.121.231:52869
- 12#.##9.47.42:49152
- 2.###.59.183:52869
- 84.##.56.52:81
- 17#.#.252.159:8080
- 51.###.41.86:8443
- 85.###.251.136:49152
- 15#.###.212.174:52869
- 14#.##6.18.66:37215
- 29.##.245.90:80
- 11#.###.67.122:49152
- 13#.###.130.82:37215
- 66.###.89.13:5555
- 60.###.179.23:49152
- 19#.##6.92.126:80
- 13#.##.12.162:8443
- 71.#.29.49:8080
- 15#.##2.139.45:7574
- 21#.##0.211.169:80
- 16#.##.8.87:8080
- 15.##.30.105:8443
- 40.###.206.110:80
- 86.###.51.85:49152
- 18.###.239.20:80
- 10#.##0.103.28:8443
- 40.###.196.164:8080
- 20#.##3.245.62:8443
- 14#.##9.14.22:80
- 17#.##3.75.212:8080
- 13.##.205.100:49152
- 20#.##.87.79:37215
- 16.###.97.74:7574
- <LOCAL_GATE>59:8080
- 10#.##4.111.74:8080
- 66.##.203.171:8080
- 47.###.133.133:8443
- 14#.###.154.163:49152
- 13#.##.251.120:80
- 4.###.55.10:81
- 14#.##9.175.83:80
- 59.##9.143.8:80
- 31.##3.96.91:81
- 16#.##.52.112:52869
- 65.##.24.194:8080
- 73.###.204.84:8443
- 11#.##5.86.32:7574
- 11#.##8.121.76:80
- 17#.###.197.13:37215
- 89.###.163.17:8443
- 11#.##.59.236:5555
- 12#.##8.245.22:7574
- 19#.##8.212.208:80
- 18#.##.193.149:7574
- 16#.###.242.183:37215
- 13#.#5.4.185:80
- 15#.##.243.121:37215
- 13#.##.111.23:37215
- 19#.##.246.162:49152
- 11#.##1.152.104:81
- 13#.##.249.77:8080
- 46.###.243.64:5555
- 26.##2.79.19:81
- 79.##.201.201:5555
- 53.##.221.53:8080
- 11.###.37.73:5555
- 35.###.241.153:80
- 28.###.112.21:37215
- 36.###.88.126:80
- 99.##.220.228:37215
- 19#.##8.240.243:80
- 17#.##2.53.0:52869
- 17#.##.232.179:49152
- 86.##.184.64:8080
- 71.##.12.60:80
- 15#.##.54.175:80
- 20#.##3.231.145:80
- 26.##.58.119:8080
- 19#.###.48.150:49152
- 1.##.93.118:80
- 21#.###.44.165:52869
- 17#.##8.189.73:8080
- 12#.##0.160.177:81
- 12#.##8.23.60:80
- 19#.##0.212.156:80
- 26.###.168.102:80
- 12#.###.244.208:5555
- 81.###.175.53:50023
- 14#.##.189.53:23
- 39.##.189.53:23
- 19#.##9.26.164:23
- 19#.##8.175.53:23
- 18#.##9.53.160:23
- 90.##.248.24:23
- 41.##.155.183:23
- 17#.##6.200.188:23
- 16#.##1.186.100:23
- 16#.##5.71.225:23
DNS ASK:
- dh#.###nsmissionbt.com
- ro####.bittorrent.com
- ro####.utorrent.com
- bt#####er.debian.org
Sends data to the following servers:
- 21#.##9.33.59:6881
- 87.##.162.88:6881
- 67.###.246.10:6881
- 82.###.103.244:6881
- 13#.##9.18.159:6881
- 17#.##.158.174:62348
- 94.###.47.229:61689
- 18#.##.195.183:28150
- 21#.##6.79.205:7135
- 89.##.227.199:6881
- 87.###.42.62:6881
- 19#.##.183.78:51413
- 92.##.236.61:6881
- 21#.##6.79.27:51471
- 37.###.80.168:50568
- 94.##.173.15:37597
- 78.##.4.237:61731
- 70.##.33.120:27365
- 37.###.23.98:11335
- 15#.#.116.137:54310
- 12#.##1.74.23:8886
- 16#.##2.94.121:6881
- 21#.###.19.188:41711
- 21#.###.19.188:33798
- 19#.##4.179.2:53803
- 19#.###.181.225:51137
- 19#.###.172.169:23080
- 19#.##4.179.2:53661
- 93.###.141.166:29585
- 19#.###.172.169:43610
- 19#.###.181.225:46039
- 21#.###.19.188:36808
- 14#.###.159.201:24874
- 17#.##9.4.73:20255
- 96.###.212.234:14496
- 18#.##.195.199:28042
- 18#.##.216.198:60217
- 17#.##.216.167:55555
- 13#.###.39.108:51413
- 93.###.238.33:51413
- 80.##.140.129:6881
- 19#.###.20.212:60613
- 11#.###.28.242:15697
- 21#.###.203.248:6881
- 78.##.24.50:43611
- 94.##.35.176:6881
- 86.##.70.42:64025
- 5.##.#20.143:6882
- 11#.##8.229.3:19917
- 5.###.84.19:6881
- 90.###.149.187:6881
- 1.##.#01.46:25618
- 71.#.#37.51:12747
- 11#.##.107.228:55555
- 11#.##.11.52:8083
- 72.##.225.197:8999
- 21#.##.89.51:18134
- 19#.##4.157.97:8629
- 11#.##.238.12:8081
- 2.##.#41.109:6881
- 17#.##7.72.48:6881
- 19#.###.181.225:44453
- 5.###.183.129:46937
- 19#.###.172.169:47982
- 21#.###.19.188:51386
- 19#.##4.179.2:50856
- 95.###.217.163:54778
- 11#.##3.3.50:8000
