JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.7880
Added to the Dr.Web virus database:
2024-08-04
Virus description added:
2024-08-04
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
/var/spool/cron/crontabs/root
Malicious functions:
Gets access to SSH keys
/root/.ssh/id_rsa
/root/.ssh/id_rsa/.ssh/id_ed25519
/root/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
/home/user/.ssh/id_rsa
/home/user/.ssh/id_rsa/.ssh/id_ed25519
/home/user/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
Substitutes application name for:
Launches processes:
ufw allow 24816
iptables -I OUTPUT -p tcp --dport 24816 -j ACCEPT
iptables -I INPUT -p tcp --dport 24816 -j ACCEPT
(crontab -l; printf \x27@reboot <SAMPLE_FULL_PATH> \x220|0\x22 noa\x0a\x27) | crontab -
/usr/sbin/xtables-nft-multi iptables -I OUTPUT -p tcp --dport 24816 -j ACCEPT
firewall-cmd --permanent --add-port 24816/tcp
crontab -
crontab -l
/usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --dport 24816 -j ACCEPT
Kills the following processes:
Performs operations with the file system:
Modifies file access rights:
/var/spool/cron/crontabs/tmp.loZ7VT
Creates or modifies files:
/var/spool/cron/crontabs/tmp.loZ7VT
Changes time of creation/access/modification of files:
Network activity:
Awaits incoming connections on ports:
0.0.0.0:24816
0.0.0.0:41297
Establishes connection:
Attacks using a special dictionary (brute-force technique) via the SSH protocol
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK