Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.583

Added to the Dr.Web virus database: 2019-09-04

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
  • cat /proc/version
  • cat /proc/cpuinfo
  • uname -a
  • getconf LONG_BIT
  • <SAMPLE_FULL_PATH> [stealth]
  • /usr/bin/crontab /tmp/nip9iNeiph5chee
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.Bavtbt
Creates or modifies files:
  • /root/.pid
  • /tmp/nip9iNeiph5chee
  • /var/spool/cron/crontabs/tmp.Bavtbt
  • /tmp/[stealth].pid
Deletes files:
  • /tmp/nip9iNeiph5chee
Locks files:
  • /root/.pid
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 13#.##2.86.45:1022
  • 19#.##0.218.21:2222
  • 19#.##9.124.16:2222
  • 16#.##7.196.53:222
  • 19#.###.149.102:2222
  • 16#.###.226.162:2222
  • 19#.##5.38.203:2222
  • 20#.##1.206.50:1022
  • 16#.###.103.211:1022
  • 13#.##2.136.174:222
  • 19#.##0.219.58:2222
  • 13.#.66.23:2222
  • 16#.##7.7.75:1022
  • 14#.##.78.74:222
  • 19#.##7.108.149:222
  • 17#.##8.75.7:1022
  • 38.###.173.149:2222
  • 20#.##.242.76:1022
  • 69.###.206.104:2222
  • 14#.##.45.217:222
  • 19#.##.9.18:1022
  • 16#.##4.172.68:1022
  • 16#.##4.44.224:2222
  • 20#.##8.113.236:222
  • 10#.##0.229.125:222
  • 10#.###.117.209:1022
  • 16#.##.125.213:2222
  • 72.###.246.19:1022
  • 17#.##3.116.81:222
  • 16#.##7.152.174:222
  • 17#.##.159.189:222
  • 19#.##.115.49:1022
  • 17#.##.171.192:1022
  • 75.###.137.158:1022
  • 12.###.76.45:222
  • 3.##.#98.133:2222
  • 20#.##1.196.239:222
  • 13#.##2.183.16:222
  • 14#.##.155.42:222
  • 45.##.81.148:2222
  • 17#.##.168.177:222
  • 14#.##.137.237:222
  • 14#.##.246.113:2222
  • 20#.##0.23.201:2222
  • 47.###.129.111:2222
  • 10#.##8.172.163:222
  • 16#.##.252.222:222
  • 20#.##3.8.133:1022
  • 14#.##8.133.215:222
  • 13.#.136.76:222
  • 16#.##4.11.87:222
  • 19#.##4.253.16:2222
  • 19#.###.200.254:2222
  • 14#.##8.226.22:222
  • 14#.##.107.65:1022
  • 69.###.8.167:222
  • 21#.###.244.198:2222
  • 45.##.44.119:2222
  • 19#.##.246.92:2222
  • 14#.##8.249.120:222
  • 14#.###.137.250:1022
  • 45.##.142.161:2222
  • 10#.##4.199.26:2222
  • 13#.##.175.67:2222
  • 16#.###.104.186:1022
  • 17#.##.80.151:2222
  • 16#.#3.71.4:222
  • 16#.##7.64.180:222
  • 20#.###.162.226:1022
  • 20#.##0.24.174:1022
  • 20#.##3.231.30:1022
  • 16#.##.19.210:222
  • 4.##.99.22:2222
  • 17#.##.226.50:1022
  • 16#.##4.107.157:222
  • 20#.##3.68.89:2222
  • 70.##.102.83:222
  • 19#.###.193.127:2222
  • 16#.##7.38.121:2222
  • 16#.##.91.22:2222
  • 10#.##7.182.33:2222
  • 14#.##.232.60:2222
  • 16#.##.228.94:222
  • 19#.##.51.110:222
  • 10#.###.156.246:2222
  • 69.###.125.195:222
  • 20#.##0.214.204:222
  • 16#.#.242.21:2222
  • 17#.##.254.180:222
  • 23.##.132.94:2222
  • 45.##.227.122:222
  • 20#.##8.116.24:2222
  • 17#.##.171.254:1022
  • 17#.##.70.35:1022
  • 20#.##.248.211:1022
  • 20#.##0.6.215:2222
  • 13#.##8.65.174:2222
  • 13#.##2.53.182:222
  • 52.##.111.112:222
  • 20#.##3.238.237:222
  • 19#.##.42.106:222
  • 14#.##.244.15:222
  • 68.###.39.182:1022
  • 20#.##.240.249:2222
  • 20#.##1.193.69:2222
  • 23.###.187.195:222
  • 15#.##.3.84:2222
  • 20#.##5.64.99:1022
  • 13#.##2.89.133:1022
  • 19#.##.88.181:2222
  • 16#.##.61.135:2222
  • 72.###.137.151:1022
  • 17#.##7.16.163:222
  • 13.#.19.94:2222
  • 20#.#.155.116:222
  • 16#.##7.43.198:2222
  • 16#.##4.192.58:2222
  • 10#.##7.169.64:2222
  • 13#.##2.147.68:222
  • 16#.##7.120.19:2222
  • 17#.##.105.197:222
  • 14#.##.98.65:2222
  • 14#.##.167.141:222
  • 47.##.120.35:2222
  • 14#.##.108.158:222
  • 20#.##.125.44:2222
  • 14#.##.48.133:2222
  • 17#.##.222.93:222
  • 45.##.247.222:2222
  • 10#.###.116.177:1022
  • 13.#.#08.158:2222
  • 13#.###.179.120:1022
  • 45.##.119.5:2222
  • 17#.##.255.184:1022
  • 14#.##.20.196:222
  • 13#.##.130.115:222
  • 69.##.146.192:2222
  • 13#.##2.18.45:1022
  • 16#.##7.199.2:222
  • 17#.##.81.201:1022
  • 13#.##2.178.94:2222
  • 20#.##3.242.8:1022
  • 16#.##9.19.166:1022
  • 16#.##4.89.110:1022
  • 16#.##.95.52:222
Attacks using a special dictionary (brute-force technique) via the SSH protocol
HTTP GET requests:
  • so######.#######0/bots/chkVersion?currVers=2.25&arch=linux
  • so######.#########bots/knock?worker=Universal&os=Linux&version=2.25
  • so######.#op:7000/project/active
  • so######.#op:7000/gw?worker=ssh_b
  • so######.top:7000/gw?worker=
DNS ASK:
  • so###rap.top
Sends data to the following servers:
  • 19#.##0.218.21:2222
  • 13#.##2.86.45:1022
  • 16#.##7.196.53:222
  • 19#.###.149.102:2222
  • 19#.##9.124.16:2222
  • 19#.##0.219.58:2222
  • 20#.##1.206.50:1022
  • 16#.###.103.211:1022
  • 13#.##2.136.174:222
  • 14#.##.78.74:222
  • 19#.##7.108.149:222
  • 38.###.173.149:2222
  • 16#.##7.7.75:1022
  • 16#.##4.172.68:1022
  • 14#.##.45.217:222
  • 20#.##.242.76:1022
  • 16#.##4.44.224:2222
  • 19#.##.9.18:1022
  • 20#.##8.113.236:222
  • 10#.###.117.209:1022
  • 17#.##3.116.81:222
  • 12.###.76.45:222
  • 16#.##7.152.174:222
  • 72.###.246.19:1022
  • 3.##.#98.133:2222
  • 13#.##2.183.16:222
  • 20#.##1.196.239:222
  • 14#.##.155.42:222
  • 14#.##.137.237:222
  • 16#.##7.38.121:2222
  • 16#.##.252.222:222
  • 47.###.129.111:2222
  • 20#.##0.23.201:2222
  • 10#.##8.172.163:222
  • 20#.##3.8.133:1022
  • 16#.##4.11.87:222
  • 17#.##.80.151:2222
  • 14#.##8.226.22:222
  • 21#.###.244.198:2222
  • 19#.##4.253.16:2222
  • 45.##.44.119:2222
  • 14#.##.107.65:1022
  • 14#.##8.249.120:222
  • 19#.##.246.92:2222
  • 20#.###.162.226:1022
  • 13#.##.175.67:2222
  • 16#.##7.64.180:222
  • 14#.###.137.250:1022
  • 16#.##.19.210:222
  • 19#.###.200.254:2222
  • 20#.##0.24.174:1022
  • 20#.##3.231.30:1022
  • 16#.##4.107.157:222
  • 20#.##3.68.89:2222
  • 19#.##.115.49:1022
  • 19#.##.42.106:222
  • 19#.##5.38.203:2222
  • 69.###.206.104:2222
  • 10#.##0.229.125:222
  • 45.##.81.148:2222
  • 16#.###.226.162:2222
  • 14#.##.246.113:2222
  • 14#.##8.133.215:222
  • 10#.##4.199.26:2222
  • 16#.##.91.22:2222
  • 16#.###.104.186:1022
  • 10#.##7.182.33:2222
  • 16#.#.242.21:2222
  • 16#.##.228.94:222
  • 14#.##.232.60:2222
  • 52.##.111.112:222
  • 69.###.125.195:222
  • 10#.###.156.246:2222
  • 23.##.132.94:2222
  • 20#.##8.116.24:2222
  • 45.##.227.122:222
  • 20#.##.248.211:1022
  • 20#.##0.214.204:222
  • 13#.##2.53.182:222
  • 13#.##8.65.174:2222
  • 19#.###.193.127:2222
  • 20#.##0.6.215:2222
  • 20#.##.240.249:2222
  • 20#.##3.238.237:222
  • 19#.##.88.181:2222
  • 68.###.39.182:1022
  • 15#.##.3.84:2222
  • 20#.##1.193.69:2222
  • 13#.##2.89.133:1022
  • 72.###.137.151:1022
  • 16#.##.61.135:2222
  • 23.###.187.195:222
  • 20#.#.155.116:222
  • 16#.##7.43.198:2222
  • 10#.##7.169.64:2222
  • 45.##.142.161:2222
  • 69.###.8.167:222
  • 13#.##2.147.68:222
  • 16#.##7.120.19:2222
  • 14#.##.98.65:2222
  • 14#.##.167.141:222
  • 47.##.120.35:2222
  • 14#.##.108.158:222
  • 20#.##.125.44:2222
  • 14#.##.48.133:2222
  • 17#.##.222.93:222
  • 10#.###.116.177:1022
  • 13#.###.179.120:1022
  • 45.##.119.5:2222
Receives data from the following servers:
  • 19#.##0.218.21:2222
  • 13#.##2.86.45:1022
  • 16#.##7.196.53:222
  • 19#.###.149.102:2222
  • 19#.##9.124.16:2222
  • 19#.##0.219.58:2222
  • 20#.##1.206.50:1022
  • 16#.###.103.211:1022
  • 13#.##2.136.174:222
  • 14#.##.78.74:222
  • 19#.##7.108.149:222
  • 38.###.173.149:2222
  • 16#.##7.7.75:1022
  • 16#.##4.172.68:1022
  • 14#.##.45.217:222
  • 20#.##.242.76:1022
  • 16#.##4.44.224:2222
  • 19#.##.9.18:1022
  • 20#.##8.113.236:222
  • 10#.###.117.209:1022
  • 17#.##3.116.81:222
  • 12.###.76.45:222
  • 16#.##7.152.174:222
  • 72.###.246.19:1022
  • 3.##.#98.133:2222
  • 13#.##2.183.16:222
  • 20#.##1.196.239:222
  • 14#.##.155.42:222
  • 14#.##.137.237:222
  • 16#.##7.38.121:2222
  • 16#.##.252.222:222
  • 47.###.129.111:2222
  • 20#.##0.23.201:2222
  • 10#.##8.172.163:222
  • 20#.##3.8.133:1022
  • 16#.##4.11.87:222
  • 17#.##.80.151:2222
  • 14#.##8.226.22:222
  • 21#.###.244.198:2222
  • 19#.##4.253.16:2222
  • 45.##.44.119:2222
  • 14#.##.107.65:1022
  • 14#.##8.249.120:222
  • 19#.##.246.92:2222
  • 20#.###.162.226:1022
  • 13#.##.175.67:2222
  • 16#.##7.64.180:222
  • 14#.###.137.250:1022
  • 16#.##.19.210:222
  • 19#.###.200.254:2222
  • 20#.##0.24.174:1022
  • 20#.##3.231.30:1022
  • 16#.##4.107.157:222
  • 20#.##3.68.89:2222
  • 19#.##.115.49:1022
  • 19#.##.42.106:222
  • 19#.##5.38.203:2222
  • 69.###.206.104:2222
  • 10#.##0.229.125:222
  • 45.##.81.148:2222
  • 16#.###.226.162:2222
  • 14#.##.246.113:2222
  • 14#.##8.133.215:222
  • 10#.##4.199.26:2222
  • 16#.##.91.22:2222
  • 10#.##7.182.33:2222
  • 16#.#.242.21:2222
  • 16#.##.228.94:222
  • 14#.##.232.60:2222
  • 52.##.111.112:222
  • 69.###.125.195:222
  • 10#.###.156.246:2222
  • 23.##.132.94:2222
  • 20#.##8.116.24:2222
  • 45.##.227.122:222
  • 20#.##.248.211:1022
  • 20#.##0.214.204:222
  • 13#.##2.53.182:222
  • 13#.##8.65.174:2222
  • 19#.###.193.127:2222
  • 20#.##0.6.215:2222
  • 20#.##.240.249:2222
  • 20#.##3.238.237:222
  • 19#.##.88.181:2222
  • 68.###.39.182:1022
  • 15#.##.3.84:2222
  • 20#.##1.193.69:2222
  • 13#.##2.89.133:1022
  • 72.###.137.151:1022
  • 16#.##.61.135:2222
  • 23.###.187.195:222
  • 20#.#.155.116:222
  • 16#.##7.43.198:2222
  • 10#.##7.169.64:2222
  • 45.##.142.161:2222
  • 69.###.8.167:222
  • 13#.##2.147.68:222
  • 16#.##7.120.19:2222
  • 14#.##.98.65:2222
  • 14#.##.167.141:222
  • 47.##.120.35:2222
  • 14#.##.108.158:222
  • 20#.##.125.44:2222
  • 14#.##.48.133:2222
  • 17#.##.222.93:222
  • 10#.###.116.177:1022
  • 13#.###.179.120:1022
  • 45.##.119.5:2222
Other:
Collects OS information
Collects CPU information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number