zoukankan      html  css  js  c++  java

  • Linux.Siggen.180

    from: https://vms.drweb.com/virus/?i=15455134&lng=en

    Linux.Siggen.180
    Added to Dr.Web virus database: 2017-07-05
    Virus description was added: 2017-07-05

    Technical Information

    To ensure autorun and distribution:

    Creates or modifies the following files:

    • /etc/init.d/acpidtd
    • /etc/rc.d/rc*.d/S01acpidtd

    Creates or modifies the following symlinks:

    • /etc/rc0.d/S01acpidtd
    • /etc/rc1.d/S01acpidtd
    • /etc/rc2.d/S01acpidtd
    • /etc/rc3.d/S01acpidtd
    • /etc/rc4.d/S01acpidtd
    • /etc/rc5.d/S01acpidtd
    • /etc/rc6.d/S01acpidtd

    Malicious functions:

    Launches itself as a daemon
    Replaces the following system files:

    • /bin/ss
    • /bin/netstat

    Launches processes:

    • sh -c /tmp/tmpnam_PGNdDO upgrade;sleep 1;rm -f /tmp/tmpnam_PGNdDO
    • /tmp/tmpnam_PGNdDO upgrade
    • /bin/sh ##which ss 1>/dev/null 2>&1
    • which ss
    • /bin/sh ##which ss
    • /bin/sh ##which netstat 1>/dev/null 2>&1
    • which netstat
    • /bin/sh ##chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat 1>/dev/null 2>&1
    • chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat
    • /bin/sh ##cp -f /tmp/tmpnam_PGNdDO /bin/ddus-uidge
    • cp -f /tmp/tmpnam_PGNdDO /bin/ddus-uidgen
    • cp -f /bin/ddus-uidgen /etc/init.d/acpidtd
    • /bin/sh ##chmod +x /bin/scss 1>/dev/null 2>&1;
    • chmod +x /bin/scss
    • ##cp -f /tmp/tmpnam_PGNdDO /bin/ss 1>/dev/null 2>&1;touch -r /bin/sh /bin/ss /bin/scss 1>/dev/null 2>&1;
    • ln -fs /etc/init.d/acpidtd /etc/rc0.d/S01acpidtd
    • cp -f /tmp/tmpnam_PGNdDO /bin/ss
    • ln -fs /etc/init.d/acpidtd /etc/rc1.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc2.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc3.d/S01acpidtd
    • touch -r /bin/sh /bin/ss /bin/scss
    • ln -fs /etc/init.d/acpidtd /etc/rc4.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc5.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc6.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc1.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc2.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc3.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc4.d/S01acpidtd
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc5.d/S01acpidtd
    • /bin/sh ##chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat 1>/dev/null 2>&1
    • ln -fs /etc/init.d/acpidtd /etc/rc.d/rc6.d/S01acpidtd
    • chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat
    • touch -r /bin/sh /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd
    • /bin/sh ##chmod +x /bin/scnetstat 1>/dev/null 2>&1;
    • chmod +x /bin/scnetstat
    • ##cp -f /tmp/tmpnam_PGNdDO /bin/netstat 1>/dev/null 2>&1;touch -r /bin/sh /bin/netstat /bin/scnetstat 1>/dev/null 2>&1;
    • cp -f /tmp/tmpnam_PGNdDO /bin/netstat
    • touch -r /bin/sh /bin/netstat /bin/scnetstat
    • sleep 1
    • rm -f /tmp/tmpnam_PGNdDO

    Performs operations with the file system:

    Modifies file access rights:

    • /tmp/tmpnam_PGNdDO
    • /bin/scss
    • /bin/scnetstat

    Creates or modifies files:

    • /tmp/tmpnam_PGNdDO
    • /bin/ddus-uidgen
    • /bin/scss
    • /bin/scnetstat

    Deletes files:

    • /tmp/tmpnam_PGNdDO

    Network activity:

    Establishes connection:

    • 16#.##.30.212:3646
    • 11#.##.33.59:2382
    • 58.##.32.135:8534
    • 22#.##.116.233:8414
    • 22#.###.214.158:9803

    DNS ASK:

    • 12#.211
    • 22#.204
    • wi###o1n3.pw

    from: https://yq.aliyun.com/ask/57692

    wipefs是linux自带的程序,用来擦除文件系统数据,也就是下面那个人回答的。正常的wipefs,路径在/usr/bin/wipefs,如果你没有做设置,不会自启动,也不会大量占用cpu。你可以看一下是否是 /bin/wipefs 进程,如果是,应该是你的机器被黑了,这是别人在你机器上放了挖矿程序。

    此程序会:
    1.进行挖矿计算,大量占用cpu。
    2.复制自己到/bin/wipefs,创建服务/etc/init.d/wipefs,在 /etc/rc.d 和 /etc/rc.d/rc.d 中创建链接以实现开机启动。
    3.释放子程序到 /bin/ddus-uidgen,创建服务/etc/init.d/acpidtd,并在 /etc/rc.d 和 /etc/rc.d/rc.d 中创建链接以实现开机启动。
    4.修改/etc/resolv.conf, 可能是为其连接矿机服务的域名做服务。
    5.修改/etc/crontab, 为自己创建定时任务,每天12点与0点开始执行。(所以你会发现第二天又启动了)

    你需要做的:
    1.删除 /etc/crontab 中的定时任务。
    2.删除以下文件:

    /bin/wipefs
    /etc/init.d/wipefs
    /bin/ddus-uidgen
    /etc/init.d/acpidtd
    /etc/rc0.d/S01wipefs
    /etc/rc1.d/S01wipefs
    /etc/rc2.d/S01wipefs
    /etc/rc3.d/S01wipefs
    /etc/rc4.d/S01wipefs
    /etc/rc5.d/S01wipefs
    /etc/rc6.d/S01wipefs
    /etc/rc.d/rc0.d/S01wipefs
    /etc/rc.d/rc1.d/S01wipefs
    /etc/rc.d/rc2.d/S01wipefs
    /etc/rc.d/rc3.d/S01wipefs
    /etc/rc.d/rc4.d/S01wipefs
    /etc/rc.d/rc5.d/S01wipefs
    /etc/rc.d/rc6.d/S01wipefs
    /etc/rc0.d/acpidtd
    /etc/rc1.d/acpidtd
    /etc/rc2.d/acpidtd
    /etc/rc3.d/acpidtd
    /etc/rc4.d/acpidtd
    /etc/rc5.d/acpidtd
    /etc/rc6.d/acpidtd
    /etc/rc.d/rc0.d/acpidtd
    /etc/rc.d/rc1.d/acpidtd
    /etc/rc.d/rc2.d/acpidtd
    /etc/rc.d/rc3.d/acpidtd
    /etc/rc.d/rc4.d/acpidtd
    /etc/rc.d/rc5.d/acpidtd
    /etc/rc.d/rc6.d/acpidtd

    检查机器漏洞,ssh权限,防火墙等,避免机器再次被攻击。
  • 相关阅读:
    linux的openfire运行日志配置经历
    基于Html5的兼容所有主流浏览器的在线视频播放器videoJs
    Eclipse下使用Fat Jar插件对源代码进行打包
    ubuntu下的openfire安装、配置、运行
    linux系统时间同步更新
    PRD产品需求文档概要
    oracle实现自动记录存储过程、自定义函数执行错误
    Oracler读取各种格式的相关日期格式
    linux中shell变量$#,$@,$0,$1,$2的含义解释
    Linux的五个查找命令
  • 原文地址:https://www.cnblogs.com/mikeguan/p/8377822.html
Copyright © 2011-2022 走看看