Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.3422

Added to the Dr.Web virus database: 2020-11-22

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • sshd
Modifies firewall settings:
  • iptables -I INPUT -p tcp --destination-port 51231 -j ACCEPT
  • iptables -I OUTPUT -p tcp --source-port 51231 -j ACCEPT
  • iptables -I PREROUTING -t nat -p tcp --destination-port 51231 -j ACCEPT
Launches processes:
  • sh -c killall -9 telnetd utelnetd scfgmgr
  • sh -c iptables -I INPUT -p tcp --destination-port 51231 -j ACCEPT
  • sh -c iptables -I OUTPUT -p tcp --source-port 51231 -j ACCEPT
  • sh -c iptables -I PREROUTING -t nat -p tcp --destination-port 51231 -j ACCEPT
Attempts to kill the following processes:
  • killall -9 telnetd utelnetd scfgmgr
Performs operations with the file system:
Creates or modifies files:
  • /root/.ips
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:14737
  • 0.0.0.0:33445
  • 0.0.0.0:51231
Establishes connection:
  • 8.#.8.8:53
  • 14#.##7.7.114:8443
  • 17#.##1.104.124:80
  • 81.##.105.85:60001
  • 38.##.57.23:8080
  • 21#.##.128.132:8443
  • 47.###.242.158:8443
  • 15#.###.206.112:8080
  • 87.###.193.137:60001
  • 19#.#5.13.61:80
  • 82.###.225.79:8080
  • 66.##.246.201:8080
  • 20#.###.24.138:37215
  • 81.###.45.247:52869
  • 65.###.77.106:8080
  • 16#.##.97.131:81
  • 22.###.236.194:8080
  • 99.###.52.236:8181
  • 13.###.3.52:5555
  • 17#.##8.134.24:8080
  • 16#.##.234.172:80
  • 17#.##7.37.46:80
  • 84.###.100.60:80
  • 18#.##.41.197:8080
  • 13#.#.194.101:8081
  • 20#.##5.210.6:80
  • 12#.##6.137.21:5555
  • 48.###.245.226:49152
  • 17#.##4.156.226:80
  • 53.##.239.11:80
  • 36.##.96.131:8080
  • 19#.###.100.207:8081
  • 21#.###.118.131:8443
  • 20#.##.249.131:7574
  • 14#.#.86.223:8081
  • 22#.##.166.199:80
  • 43.##.140.145:8080
  • 21#.##4.139.24:8081
  • 21#.#10.8.43:80
  • 12#.###.206.162:8080
  • 16#.##.162.58:37215
  • 57.#.#44.39:8080
  • 8.##.57.254:80
  • 16#.#.120.179:8080
  • 29.###.148.73:80
  • 18#.##.71.204:7574
  • 19#.##1.31.169:7574
  • 14#.##.106.179:8080
  • 13#.##1.184.82:8080
  • 49.###.90.53:8080
  • 34.###.33.183:80
  • 18#.##9.13.243:80
  • 13#.##5.86.17:80
  • 2.###.190.3:8080
  • 20.###.179.191:60001
  • 15#.##.224.212:52869
  • 13#.##.135.106:80
  • 76.###.48.248:8080
  • 15#.###.149.171:8443
  • 21#.##.152.28:80
  • 27.##.23.242:52869
  • 12#.##.73.20:8080
  • 21#.##.221.100:8181
  • 72.##.135.111:8080
  • 18#.##9.103.142:80
  • 11#.##7.225.5:80
  • 47.###.152.211:8080
  • 83.###.37.50:8443
  • 13#.#.51.134:8081
  • 16.###.112.51:8181
  • 17#.##9.93.223:8080
  • 73.###.78.197:80
  • 10#.##8.40.55:8080
  • 12#.##.86.224:8080
  • 15#.##.179.238:80
  • 65.###.17.43:8443
  • 71.##.114.201:80
  • 34.##.217.83:8080
  • 43.##.249.124:80
  • 60.###.240.122:49152
  • 38.##.151.183:60001
  • 16#.##.167.165:37215
  • 3.###.131.60:8181
  • 34.###.143.223:5555
  • 13#.##.135.34:8080
  • 13#.##6.170.126:80
  • 51.###.109.110:8443
  • 14#.##.107.189:37215
  • 16#.###.96.192:52869
  • 11#.##.186.84:80
  • 15#.###.117.113:37215
  • 11#.##.248.237:52869
  • 82.###.220.111:37215
  • 18#.##6.127.226:80
  • 10#.##9.121.72:80
  • 15#.##6.205.3:8080
  • 96.###.204.90:8080
  • 43.###.169.240:80
  • 77.###.237.171:8080
  • 19#.###.48.200:49152
  • 71.#.46.6:7574
  • 44.###.215.251:37215
  • 73.##9.227.3:80
  • 18#.##8.86.36:80
  • 19#.##6.158.61:80
  • 7.###.16.183:8080
  • 17#.##.245.18:80
  • 40.###.132.18:80
  • 12#.##.182.131:80
  • 21.###.188.148:80
  • 3.##.92.53:80
  • 19#.###.217.56:60001
  • 70.###.246.107:7574
  • 95.###.117.155:8081
  • 11#.##1.4.166:52869
  • 77.##.208.130:8080
  • 47.##.19.137:8081
  • 14#.###.172.240:52869
  • 83.##.105.165:80
  • 13.###.101.240:8080
  • <LOCAL_GATE>13:8081
  • 42.###.104.177:8443
  • 61.###.185.157:5555
  • 18#.##3.212.114:81
  • 13#.###.176.79:49152
  • 17#.##3.205.233:80
  • 93.#.246.41:81
  • 59.###.185.237:8080
  • 57.##.170.47:8181
  • 83.##.105.44:8080
  • 48.##.10.30:8081
  • 94.##.106.160:8443
  • 4.##.2.151:8080
  • 31.###.205.152:80
  • 29.###.171.88:80
  • 10#.##.59.111:80
  • 48.##.147.191:7574
  • 51.##.177.225:8080
  • 82.###.59.49:8080
  • 20#.###.246.232:8080
  • 19#.##8.86.62:8443
  • 80.###.106.153:8080
  • 64.###.70.83:8181
  • 20#.##0.158.88:5555
  • 21#.##.133.171:81
  • 48.##.241.64:80
  • 11#.##0.246.54:7574
  • 15#.##1.176.229:80
  • 19#.###.242.193:8080
  • 20.###.183.98:60001
  • 79.###.144.29:49152
  • 18#.###.109.157:7574
  • 79.###.164.242:8081
  • 91.###.192.6:7574
  • 11#.##7.93.179:80
  • 95.###.111.39:8181
  • 98.###.182.16:8081
  • 15#.##8.87.172:80
  • 77.###.7.144:8081
  • 12#.##3.182.162:80
  • 88.###.177.67:7574
  • 15#.##5.57.231:80
  • 21#.##9.100.119:80
  • 13#.##5.201.92:8080
  • 19#.##0.73.131:80
  • 37.###.67.21:8080
  • 14#.##2.67.112:80
  • 14#.###.142.194:8081
  • 14#.##.10.217:80
  • 16#.###.187.237:7574
  • 21#.##2.77.44:7574
  • 15#.##0.105.161:80
  • 14#.##9.39.148:8080
  • 22.###.71.4:49152
  • 63.###.194.128:37215
  • 17#.##3.244.40:8080
  • 16#.##.106.148:8181
  • 28.##.215.243:80
  • 41.##.58.71:49152
  • 57.##.134.104:8080
  • 19#.##5.188.8:8181
  • 12#.#0.18.71:80
  • 51.##.141.17:52869
  • 67.##.51.76:80
  • 19#.##.158.159:52869
  • 16#.###.43.137:60001
  • 7.###.13.20:80
  • 17#.##6.16.238:8181
  • 10#.##.202.6:8080
  • 18#.##9.58.170:80
  • 76.##7.53.12:80
  • 12#.###.176.223:8080
  • 3.###.209.215:8080
  • 18#.##.224.80:80
  • 17#.###.180.185:8080
  • 32.###.48.157:8080
  • 16.###.141.20:8181
  • 35.###.116.201:80
  • 10#.##.108.122:80
  • 88.###.78.109:5555
  • 10#.##3.243.234:81
  • 17#.###.102.150:8181
  • 28.###.51.27:60001
  • 19#.##9.252.79:80
  • 18#.##0.108.53:80
  • 16#.##0.183.89:81
  • 98.###.10.4:8080
  • 28.##.224.31:7574
  • 6.##.#20.240:8080
  • 53.###.161.209:52869
  • 20#.##3.54.39:8080
  • 18#.##2.99.160:8080
  • 12.###.236.58:8080
  • 10#.##.182.105:80
  • 22#.##.104.238:80
  • 17#.###.209.115:49152
  • 12#.##.241.222:8080
  • 15#.##.163.159:80
  • 17#.###.244.119:8081
  • 17.###.2.251:8443
  • 50.##.136.56:8080
  • 12#.##2.98.61:8080
  • 33.##.238.53:8181
  • 21.##.86.60:7574
  • 16.##9.232.6:81
  • 19#.##9.100.156:80
  • 77.###.229.250:80
  • 14#.###.176.247:8080
  • 45.###.191.184:8080
  • 21#.##4.176.210:80
  • 17#.##.73.183:80
  • 45.###.240.72:80
  • 19#.##.121.76:80
  • 18#.###.172.146:8080
  • 18#.###.102.236:8080
  • 17#.##.147.77:80
  • 11.##.250.50:8443
  • 29.##.172.209:37215
  • 11#.##.192.32:80
  • 82.###.183.143:80
  • 20#.##.38.110:8181
  • 20#.##.173.237:8080
  • 58.##5.52.15:80
  • 31.###.39.169:80
  • 16#.##7.241.9:37215
  • 42.###.83.130:8080
  • 10#.##4.209.203:80
  • 6.##.#98.142:60001
  • 13#.##.194.139:8181
  • 12#.##.240.231:8080
  • 56.###.38.232:8080
  • 17#.##.4.130:8443
  • 18#.##3.18.213:8443
  • 21#.##.7.234:49152
  • 12#.##1.9.174:60001
  • 90.###.76.113:8080
  • 19.###.143.145:8081
  • 68.###.98.125:80
  • 86.###.15.220:8080
  • 22#.###.172.197:8080
  • 60.###.35.78:8080
  • 11#.##6.176.61:8081
  • 18#.##3.131.42:8443
  • 15#.##.186.1:5555
  • 11#.##2.173.16:81
  • 5.###.134.144:80
  • 24.##.30.147:8080
  • 83.##.209.169:8181
  • 20#.##2.65.47:80
  • 17#.##.249.240:80
  • 21#.###.251.107:5555
  • 18#.##9.74.149:5555
  • 9.###.9.170:8080
  • 52.###.85.202:8181
  • 10#.##6.121.68:8080
  • 15#.##.14.123:8080
  • 13#.##2.20.210:81
  • 21.###.73.160:8443
  • 10#.##.109.109:80
  • 47.###.166.156:52869
  • 77.###.233.120:80
  • 16#.##.224.107:5555
  • 75.###.82.144:52869
  • 60.##.122.94:8080
  • 42.###.10.44:8181
  • 46.###.235.43:49152
  • 41.###.201.180:81
  • 45.###.237.53:80
  • 21#.##0.3.81:8080
  • 58.###.173.249:80
  • 17#.##.31.33:8081
  • 92.##1.14.72:23
  • 17#.##.193.2:8443
HTTP POST requests:
  • 127.0.0.1:80/GponForm/diag_Form?images/
Sends data to the following servers:
  • 23#.###.255.250:1900
  • 11#.###.226.141:1023
  • 80.###.245.105:23
  • 20#.##.227.61:23
  • 10#.#5.113.6:23
  • 17#.##8.134.8:23
  • 73.###.249.83:1023
  • 19.##1.8.212:23
  • 16#.#.161.130:23
  • 15#.##.65.219:23
  • 20#.##.223.98:23
  • 35.###.116.201:80
  • 78.###.73.23:1023
  • 82.###.21.169:23
  • 16#.##6.158.89:23
  • 12#.##.103.220:23
  • 58.##.79.124:23
  • 32.###.44.46:1023
  • 90.##.183.140:23
  • 21#.##4.180.33:23
  • 19#.##2.105.139:23
  • 17#.##0.156.209:23
  • 16#.##.53.141:1023
  • 80.###.99.181:23
  • 73.###.37.108:23
  • 19#.##3.185.165:23
  • 90.###.95.133:23
  • 18.###.147.119:1023
  • 63.###.81.187:23
  • 64.##.43.236:23
  • 16#.##.152.181:23
  • 20.##3.85.2:23
  • 18#.##0.140.35:1023
  • 22#.##.205.186:23
  • 64.##.220.154:23
  • 16#.##.254.120:23
  • 13#.##.34.104:23
  • 13#.##.14.119:1023
  • 10#.##1.77.179:23
  • 16#.##.201.87:23
  • 95.###.44.180:23
  • 21#.##.196.241:23
  • 86.##.189.56:1023
  • 60.##.244.123:23
  • 15#.##2.99.207:23
  • 92.##1.14.72:23
  • 14.###.174.39:23
  • 62.###.7.223:1023
  • 20#.##0.209.140:23
  • 14#.##2.136.151:23
  • 34.##.4.34:23
  • 12#.##1.85.20:23
  • 16#.###.226.220:1023
  • 14#.##5.122.192:23
  • 16#.##0.113.122:23
  • 75.###.198.210:23
  • 18#.#70.98.6:23
  • 15#.##7.38.25:1023
  • 36.###.193.189:23
  • 12#.##.155.222:23
  • 18#.##.252.176:23
  • 12#.##.234.244:23
Receives data from the following servers:
  • 35.###.116.201:80

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124