Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.4075

Added to the Dr.Web virus database: 2021-07-30

Virus description added:

Technical Information

Malicious functions:
Launches processes:
  • chmod +x /bin/chattr
  • chmod +x /usr/bin/chattr
  • chattr -iae /tmp/iptableupdate.sh
  • /bin/sh -c chmod +x /tmp/iptableupdate.sh > /dev/null 2>&1
  • chmod +x /tmp/iptableupdate.sh
  • chmod 777 /tmp/iptableupdate.sh
  • /bin/sh -c nohup /tmp/iptableupdate.sh > /dev/null 2>&1 &
  • chattr -iae /etc/iptablesupdate
  • nohup /tmp/iptableupdate.sh
  • /tmp/iptableupdate.sh
  • /bin/sh /tmp/iptableupdate.sh
  • chattr -iae /tmp/iptablesupdate
  • ps -ef
  • grep -w iptableupdate.sh
  • grep -v grep
  • wc -l
  • /bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate > /dev/null 2>&1
  • cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
  • /bin/sh -c \cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate > /dev/null 2>&1
  • cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate
  • grep iptablesupdate
  • chattr +ia /tmp/iptableupdate.sh
  • chattr +ia /etc/iptablesupdate
  • chattr +ia /tmp/iptablesupdate
  • chattr -iae /bin/dockerlogger
  • chattr -iae /usr/bin/dockerlogger
  • chmod +x /bin/dockerlogger
  • chattr -ia /tmp/iptablesupdate
  • chmod +x /usr/bin/dockerlogger
  • /bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
  • chmod +x /tmp/iptablesupdate
  • sleep 5
  • /tmp/iptablesupdate
  • /bin/sh -c \cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger
  • cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/chattr
  • /tmp/iptableupdate.sh
  • /tmp/iptablesupdate
Creates folders:
  • /tmp/.abchello
  • /root/data-dir-231730289
Creates or modifies files:
  • /tmp/iptableupdate.sh
  • /etc/iptablesupdate
  • /tmp/iptablesupdate
  • /usr/bin/dockerlogger
  • /root/data-dir-231730289/torrc-119283996
  • /root/data-dir-231730289/control-port-372753867
Deletes files:
  • /tmp/iptableupdate.sh
  • /root/data-dir-231730289
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 18#.##9.111.133:9
  • 18#.##9.108.133:9
  • 18#.##9.109.133:9
  • 18#.##9.110.133:9
  • 18#.##9.111.133:443
HTTP POST requests:
  • 10#.###.#03.16:26800/api/postip
DNS ASK:
  • xv###hded.tk
  • xv###hded.com
  • xv####ded.pages.dev
  • ra#.####ubusercontent.com
Sends data to the following servers:
  • 18#.##9.111.133:443
Receives data from the following servers:
  • 18#.##9.111.133:443
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number