Linux.Siggen.4064

Technical Information

Malicious functions:

Modifies firewall settings:

iptables -P INPUT DROP
iptables -t filter -N LOG_N_ACCEPT
iptables -t filter -A LOG_N_ACCEPT -j LOG --log-level warning --log-prefix ACTION=INPUT-ACCEPT
iptables -t filter -A LOG_N_ACCEPT -j ACCEPT
iptables -A INPUT -i eno1 -j LOG_N_ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATE
iptables -A INPUT -p tcp -m tcp --dport 22 -j LOG_N_ACCEPT
iptables -A INPUT -p tcp -m tcp --dport http -j LOG_N_ACCEPT
iptables -A INPUT -p tcp -m tcp --dport https -j LOG_N_ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -j LOG
iptables -A INPUT -s 192.168.10.0/24 -j LOG
iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix ** SUSPECT **
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FI
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SY
iptables -t mangle -A PREROUTING -p tcp --tcp-flags AC
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FI
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SY
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
iptables -t mangle -A PREROUTING -p icmp -j DROP
iptables -t mangle -A PREROUTING -f -j DROP
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j LOG_N_ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j LOG_N_ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SY
iptables -A port-scanning -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG_N_ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j LOG_N_ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j LOG_N_ACCEPT
iptables -I OUTPUT -m state -p tcp --state NEW ! -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-TCP
iptables -I OUTPUT -m state -p udp -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-UDP

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
apt install dnsutils
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
apt-get install net-tools
apt-get install tcpdump
apt-get install dsniff -y

Kills the following processes:

/usr/lib/apt/methods/http

Performs operations with the file system:

Modifies file access rights:

/var/cache/apt/pkgcache.bin.qm3h0o

Creates or modifies files:

/var/lib/dpkg/lock
/var/cache/apt/pkgcache.bin.qm3h0o
/var/cache/apt/archives/lock

Deletes files:

/var/cache/apt/pkgcache.bin

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>

DNS ASK:

ft#.##.debian.org

Other:

Collects RAM information

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations