JavaScript support is required for our site to be fully operational in your browser.
Linux.Mirai.857
Added to the Dr.Web virus database:
2017-10-23
Virus description added:
2017-10-23
Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
puo24wfi3nwhptfsauf86kv1jm2j
Launches processes:
sh -c rm -r /var/log
rm -r /var/log
Performs operations with the file system:
Deletes files:
/btmp
/term.log
/history.log
/kern.log
/fontconfig.log
/dmesg
/alternatives.log
/dpkg.log
/faillog
/checkfs
/checkroot
/daemon.log
/wtmp
/syslog
/messages
/debug
/lastlog
/hardware-summary
/partman
/lsb-release
/status
/questions.dat
/templates.dat
/auth.log
/mainlog
Network activity:
Awaits incoming connections on ports:
127.0.0.1:48099
0.0.0.0:23
Establishes connection:
8.#.8.8:53
<LOCAL_DNS_SERVER>
10#.##5.77.113:8081
10#.###.77.113:10000
10#.##5.77.113:8080
10#.##5.77.113:88
10#.##5.77.113:8090
10#.##5.77.113:1080
10#.##5.77.113:81
10#.##5.77.113:3000
10#.##5.77.113:8001
10#.##5.77.113:84
10#.##5.77.113:80
10#.##5.77.113:8060
10#.##5.77.113:3749
36.##.177.3:81
36.##.177.3:8080
36.##.177.3:8081
36.##.177.3:88
36.##.177.3:8001
36.##.177.3:82
36.##.177.3:10000
36.##.177.3:8443
36.##.177.3:8880
36.##.177.3:84
36.##.177.3:8060
36.##.177.3:8090
36.##.177.3:3000
10#.##5.77.113:8443
10#.##5.77.113:8880
36.##.177.3:1080
36.##.177.3:83
10#.##5.77.113:83
36.##.177.3:3749
10#.##.233.78:8001
10#.##.233.78:80
85.###.43.75:10000
HTTP GET requests:
27.###.###.#########.#hp?mac=52-54-00-12-34-56&type=all&port=80&ver=1.07&act=finish
85.###.43.75:8880/
85.###.43.75:10000/
85.###.##.###8880/system.ini?loginuse&loginpas
85.###.##.###10000/system.ini?loginuse&loginpas
85.###.##.##############e_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
85.###.##.##############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
36.##.177.3/
85.###.##.####880/board.cgi?cmd=cat%20/etc/passwd
85.###.##.####0000/board.cgi?cmd=cat%20/etc/passwd
85.###.##.#############.######xt_file=netgear.cfg&todo=syscmd&curpath=/¤tsetting.htm=1&cmd=echo+dgn+123456
10#.##.233.78:8001/
85.###.##.##############.#####ext_file=netgear.cfg&todo=syscmd&curpath=/¤tsetting.htm=1&cmd=echo+dgn+123456
85.###.##.###########-bin/user/Config.cgi?.cab&action=get&category=Account.*
85.###.##.###########i-bin/user/Config.cgi?.cab&action=get&category=Account.*
85.###.##.######0/shell?echo+jaws+123456;cat+/proc/cpuinfo
85.###.##.######00/shell?echo+jaws+123456;cat+/proc/cpuinfo
10#.##.233.78:8080/
10#.##.###.##:8080/system.ini?loginuse&loginpas
10#.##.###.#############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
36.##.###.##system.ini?loginuse&loginpas
10#.##.###.###8080/board.cgi?cmd=cat%20/etc/passwd
HTTP POST requests:
85.###.##.75:8880/command.php
85.###.##.75:10000/command.php
85.###.##.75:8880/hedwig.cgi
85.###.##.75:10000/hedwig.cgi
85.###.#3.75:8880/apply.cgi
85.###.##.75:10000/apply.cgi
10#.##.##3.78:8001/command.php
36.##.#77.3/command.php
10#.##.##3.78:8080/command.php
DNS ASK:
we####qweiur.com
e.##852.com
Sends data to the following servers:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK