Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.3810

Added to the Dr.Web virus database: 2021-03-23

Virus description added:

Technical Information

Malicious functions:
Manages services:
  • systemctl start opendkim
  • systemctl enable opendkim
  • systemctl restart postfix
  • systemctl start named
  • systemctl enable named
  • systemctl restart mysqld
  • service mysqld restart
  • systemctl restart mysqld.service
  • systemctl enable mysqld
  • systemctl restart httpd
  • systemctl enable httpd
  • systemctl stop sendmail
  • systemctl disable sendmail
  • systemctl restart dovecot
  • systemctl enable dovecot
  • systemctl enable postfix
  • systemctl restart saslauthd
  • systemctl enable saslauthd
  • systemctl start pmta
  • systemctl start pmtahttp
  • systemctl enable pmta
  • systemctl enable pmtahttp
  • systemctl disable squid
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • rm -rf /root/install.sh
  • mkdir -p /root/mailamigos-scripts/backup-local/.Originais
  • ip a
  • grep inet
  • cut -f1 -d/
  • grep -v ^10.[0-9]
  • awk {print $2}
  • grep -v ^127.[0-9]
  • grep -v ^192.168.[0-9]
  • grep -v ^172.16.[0-9]
  • cat /root/mailamigos-scripts/ips.info
  • head -1 /root/mailamigos-scripts/ips.info
  • wc -l
  • rm -rf /etc/localtime
  • ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
  • cut -c -12
  • date
  • md5sum
  • base64
  • useradd
  • chpasswd
  • mkdir /home//websites
  • chmod 755 /home// -R
  • chown : /home// -R
  • useradd return -s /sbin/nologin
  • nscd -i passwd
  • nscd -i group
  • useradd admin
  • useradd fbl
  • useradd abuse
  • useradd reply
  • useradd postmaster
  • mv /etc/named.conf /etc/named.conf-bkp
  • date +%Y%m%d%H%M%S
  • cut -f1-3 -d.
  • sort /tmp/ips.info
  • uniq
  • sed -i s/^/ip4:/ /tmp/spfconfig.info
  • sed -i s/$/.0\/24 / /tmp/spfconfig.info
  • sed -i :a;$!N;s/\n//;ta; /tmp/spfconfig.info
  • cat /tmp/spfconfig.info
  • mv /etc/opendkim/keys/default.private /tmp/dkim-default
  • cat /etc/opendkim/keys/default.txt
  • mv .db /var/named/.db
  • chown root:named /var/named/.db
  • mv /etc/opendkim.conf /etc/opendkim.conf.orig
  • cat
  • sleep 0.5
  • mv /etc/my.cnf /etc/my.cnf-bkp
  • mv /mailamigos/repositories/*.sql /root/mailamigos-scripts/backup-local/.Originais/
  • mv /etc/php.ini /etc/php.ini-bkp
  • mv /mailamigos/repositories/ioncube_loader_lin_7.2.so /usr/lib64/php/modules/ioncube_loader_lin_7.2.so
  • chmod 777 /usr/lib64/php/modules/ioncube_loader_lin_7.2.so
  • mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-bkp
  • rm -rf /var/www/html
  • mkdir /var/www/mw
  • unzip -q /mailamigos/repositories/mailwizz.zip -d /var/www/mw
  • mv /mailamigos/repositories/mailwizz.zip /root/mailamigos-scripts/backup-local/.Originais/mailwizz.zip
  • rm -rf /var/www/mw/apps/common/config/main-custom.php
  • rm -rf /var/www/mw/install
  • chmod 777 /var/www/mw/apps/common/config
  • chmod 777 /var/www/mw/apps/common/runtime
  • chmod 777 /var/www/mw/backend/assets/cache
  • chmod 777 /var/www/mw/customer/assets/cache
  • chmod 777 /var/www/mw/frontend/assets/cache
  • chmod 777 /var/www/mw/frontend/assets/files
  • chmod 777 /var/www/mw/frontend/assets/gallery
  • chmod 777 /var/www/mw/apps/extensions
  • sed -i 177d /etc/squirrelmail/config.php
  • sed -i 1
  • mv /etc/httpd/conf.d/phpMyAdmin.conf /etc/httpd/conf.d/phpMyAdmin.conf-bkp
  • chown apache:apache /var/www/ -R
  • mv /etc/postfix/main.cf /etc/postfix/main.cf-bkp
  • mv /etc/postfix/master.cf /etc/postfix/master.cf-bkp
  • mv /etc/sysctl.conf /etc/sysctl.conf-bkp
  • /usr/sbin/postalias /etc/aliases
  • mkdir /etc/ssl/private
  • openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/private/pmta..cert -keyout /etc/ssl/private/pmta..key -subj /C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=
  • cat /etc/ssl/private/pmta..cert /etc/ssl/private/pmta..key
  • yes
  • cp -fr /mailamigos/patch/* /
  • expr 1 * 5
  • expr 1 *
  • cat /tmp/ipspmtacfg.info
  • mv /tmp/dkim-default /etc/pmta/-dkim.key
  • chown pmta:pmta /etc/pmta/ -R
  • mv /etc/squid/squid.conf /etc/squid/squid.conf-bkp
  • cat /etc/squid/squid.conf-bkp
  • sed -i s/http_access deny all/http_access allow all/ /etc/squid/squid.conf
  • sed -i s/http_port 3128/http_port 54321/ /etc/squid/squid.conf
Performs operations with the file system:
Modifies file access rights:
  • /home
  • /home/websites
  • /home/user
  • /home/user/.bashrc
  • /home/user/.bash_logout
  • /home/user/.profile
  • /etc/passwd+
  • /etc/shadow+
  • /etc/group+
  • /etc/gshadow+
  • /etc/subuid+
  • /etc/subgid+
  • /etc/nshadow
  • /tmp/sedmfMDpR
  • /tmp/sedPtO7RU
  • /tmp/sedrUHeyZ
  • /root/.rnd
Creates folders:
  • /root/mailamigos-scripts
  • /root/mailamigos-scripts/backup-local
  • /root/mailamigos-scripts/backup-local/.Originais
  • /home/websites
Creates symlinks:
  • /etc/localtime
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/shadow.lock
Creates or modifies files:
  • /root/mailamigos-scripts/ips.info
  • /etc/resolv.conf
  • /etc/sysconfig/clock
  • /root/mailamigos-scripts/licenseemail.info
  • /root/mailamigos-scripts/domain.info
  • /proc/sys/kernel/hostname
  • /root/mailamigos-scripts/reversedns.info
  • /root/mailamigos-scripts/sqlpass.info
  • /root/mailamigos-scripts/firstname.info
  • /root/mailamigos-scripts/lastname.info
  • /root/mailamigos-scripts/adminemail.info
  • /root/mailamigos-scripts/sendinguser.info
  • /root/mailamigos-scripts/sendinguserpass.info
  • /etc/.pwd.lock
  • /etc/passwd.742
  • /etc/group.742
  • /etc/gshadow.742
  • /etc/subuid.742
  • /etc/subgid.742
  • /etc/shadow.742
  • /var/log/faillog
  • /var/log/lastlog
  • /etc/passwd-
  • /etc/passwd+
  • /etc/shadow-
  • /etc/shadow+
  • /etc/group-
  • /etc/group+
  • /etc/gshadow-
  • /etc/gshadow+
  • /etc/subuid-
  • /etc/subuid+
  • /etc/subgid-
  • /etc/subgid+
  • /etc/nshadow
  • /etc/passwd.750
  • /etc/group.750
  • /etc/gshadow.750
  • /etc/subuid.750
  • /etc/subgid.750
  • /etc/shadow.750
  • /etc/passwd.758
  • /etc/group.758
  • /etc/gshadow.758
  • /etc/subuid.758
  • /etc/subgid.758
  • /etc/shadow.758
  • /etc/passwd.766
  • /etc/group.766
  • /etc/gshadow.766
  • /etc/subuid.766
  • /etc/subgid.766
  • /etc/shadow.766
  • /etc/passwd.774
  • /etc/group.774
  • /etc/gshadow.774
  • /etc/subuid.774
  • /etc/subgid.774
  • /etc/shadow.774
  • /etc/passwd.782
  • /etc/group.782
  • /etc/gshadow.782
  • /etc/subuid.782
  • /etc/subgid.782
  • /etc/shadow.782
  • /root/mailamigos-scripts/monitoringemail.info
  • /root/mailamigos-scripts/ipspeed.info
  • /etc/named.conf
  • /root/mailamigos-scripts/backup-local/.db
  • /root/.db
  • /tmp/ips.info
  • /tmp/spfconfig.info
  • /tmp/sedmfMDpR
  • /tmp/sedPtO7RU
  • /tmp/sedrUHeyZ
  • /var/named/chroot/etc/named.rfc1912.zones
  • /etc/opendkim.conf
  • /tmp/sh-thd-198424731
  • /etc/opendkim/KeyTable
  • /etc/opendkim/SigningTable
  • /etc/opendkim/TrustedHosts
  • /etc/my.cnf
  • /etc/php.ini
  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf.d/.conf
  • /var/www/mw/apps/common/config/main-custom.php
  • /var/www/index.html
  • /etc/squirrelmail/config.php
  • /etc/httpd/conf.d/phpMyAdmin.conf
  • /etc/dovecot/dovecot.conf
  • /etc/dovecot/conf.d/10-mail.conf
  • /etc/dovecot/conf.d/20-pop3.conf
  • /etc/dovecot/conf.d/10-master.conf
  • /etc/dovecot/conf.d/10-auth.conf
  • /etc/postfix/main.cf
  • /etc/postfix/master.cf
  • /etc/sysctl.conf
  • /root/.rnd
  • /etc/ssl/private/pmta..key
  • /etc/ssl/private/pmta..pem
  • /etc/security/limits.conf
  • /tmp/ipspmtacfg.info
  • /etc/pmta/config
  • /tmp/arqpmtaconfig2.info
  • /tmp/arqpmtaconfig3.info
  • /etc/squid/squid.conf
  • /etc/logrotate.d/squid
Deletes files:
  • /root/install.sh
  • /etc/localtime
  • /etc/passwd.742
  • /etc/group.742
  • /etc/gshadow.742
  • /etc/subuid.742
  • /etc/subgid.742
  • /etc/shadow.742
  • /etc/shadow.lock
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/passwd.750
  • /etc/group.750
  • /etc/gshadow.750
  • /etc/subuid.750
  • /etc/subgid.750
  • /etc/shadow.750
  • /etc/passwd.758
  • /etc/group.758
  • /etc/gshadow.758
  • /etc/subuid.758
  • /etc/subgid.758
  • /etc/shadow.758
  • /etc/passwd.766
  • /etc/group.766
  • /etc/gshadow.766
  • /etc/subuid.766
  • /etc/subgid.766
  • /etc/shadow.766
  • /etc/passwd.774
  • /etc/group.774
  • /etc/gshadow.774
  • /etc/subuid.774
  • /etc/subgid.774
  • /etc/shadow.774
  • /etc/passwd.782
  • /etc/group.782
  • /etc/gshadow.782
  • /etc/subuid.782
  • /etc/subgid.782
  • /etc/shadow.782
  • /tmp/sh-thd-198424731
  • /var/www/html
  • /var/www/mw/apps/common/config/main-custom.php
  • /var/www/mw/install
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number