Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Linux.Mirai.857

Added to the Dr.Web virus database: 2017-10-23

Virus description added:

Technical Information

Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
  • puo24wfi3nwhptfsauf86kv1jm2j
Launches processes:
  • sh -c rm -r /var/log
  • rm -r /var/log
Performs operations with the file system:
Deletes files:
  • /btmp
  • /term.log
  • /history.log
  • /kern.log
  • /fontconfig.log
  • /dmesg
  • /alternatives.log
  • /dpkg.log
  • /faillog
  • /checkfs
  • /checkroot
  • /daemon.log
  • /wtmp
  • /syslog
  • /messages
  • /debug
  • /lastlog
  • /hardware-summary
  • /partman
  • /lsb-release
  • /status
  • /questions.dat
  • /templates.dat
  • /auth.log
  • /mainlog
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:48099
  • 0.0.0.0:23
Establishes connection:
  • 8.#.8.8:53
  • <LOCAL_DNS_SERVER>
  • 10#.##5.77.113:8081
  • 10#.###.77.113:10000
  • 10#.##5.77.113:8080
  • 10#.##5.77.113:88
  • 10#.##5.77.113:8090
  • 10#.##5.77.113:1080
  • 10#.##5.77.113:81
  • 10#.##5.77.113:3000
  • 10#.##5.77.113:8001
  • 10#.##5.77.113:84
  • 10#.##5.77.113:80
  • 10#.##5.77.113:8060
  • 10#.##5.77.113:3749
  • 36.##.177.3:81
  • 36.##.177.3:8080
  • 36.##.177.3:8081
  • 36.##.177.3:88
  • 36.##.177.3:8001
  • 36.##.177.3:82
  • 36.##.177.3:10000
  • 36.##.177.3:8443
  • 36.##.177.3:8880
  • 36.##.177.3:84
  • 36.##.177.3:8060
  • 36.##.177.3:8090
  • 36.##.177.3:3000
  • 10#.##5.77.113:8443
  • 10#.##5.77.113:8880
  • 36.##.177.3:1080
  • 36.##.177.3:83
  • 10#.##5.77.113:83
  • 36.##.177.3:3749
  • 10#.##.233.78:8001
  • 10#.##.233.78:80
  • 85.###.43.75:10000
HTTP GET requests:
  • 27.###.###.#########.#hp?mac=52-54-00-12-34-56&type=all&port=80&ver=1.07&act=finish
  • 85.###.43.75:8880/
  • 85.###.43.75:10000/
  • 85.###.##.###8880/system.ini?loginuse&loginpas
  • 85.###.##.###10000/system.ini?loginuse&loginpas
  • 85.###.##.##############e_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
  • 85.###.##.##############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
  • 36.##.177.3/
  • 85.###.##.####880/board.cgi?cmd=cat%20/etc/passwd
  • 85.###.##.####0000/board.cgi?cmd=cat%20/etc/passwd
  • 85.###.##.#############.######xt_file=netgear.cfg&todo=syscmd&curpath=/&currentsetting.htm=1&cmd=echo+dgn+123456
  • 10#.##.233.78:8001/
  • 85.###.##.##############.#####ext_file=netgear.cfg&todo=syscmd&curpath=/&currentsetting.htm=1&cmd=echo+dgn+123456
  • 85.###.##.###########-bin/user/Config.cgi?.cab&action=get&category=Account.*
  • 85.###.##.###########i-bin/user/Config.cgi?.cab&action=get&category=Account.*
  • 85.###.##.######0/shell?echo+jaws+123456;cat+/proc/cpuinfo
  • 85.###.##.######00/shell?echo+jaws+123456;cat+/proc/cpuinfo
  • 10#.##.233.78:8080/
  • 10#.##.###.##:8080/system.ini?loginuse&loginpas
  • 10#.##.###.#############de_handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
  • 36.##.###.##system.ini?loginuse&loginpas
  • 10#.##.###.###8080/board.cgi?cmd=cat%20/etc/passwd
HTTP POST requests:
  • 85.###.##.75:8880/command.php
  • 85.###.##.75:10000/command.php
  • 85.###.##.75:8880/hedwig.cgi
  • 85.###.##.75:10000/hedwig.cgi
  • 85.###.#3.75:8880/apply.cgi
  • 85.###.##.75:10000/apply.cgi
  • 10#.##.##3.78:8001/command.php
  • 36.##.#77.3/command.php
  • 10#.##.##3.78:8080/command.php
DNS ASK:
  • we####qweiur.com
  • e.##852.com
Sends data to the following servers:
  • 21#.##5.58.226:80
  • 21#.##5.58.226:81
  • 21#.##5.58.226:8080
  • 21#.##5.58.226:8081
  • 21#.##5.58.226:88
  • 21#.##5.58.226:8001
  • 21#.##5.58.226:1080
  • 21#.##5.58.226:82
  • 21#.###.58.226:10000
  • 21#.##5.58.226:8443
  • 21#.##5.58.226:8880
  • 21#.##5.58.226:83
  • 21#.##5.58.226:84
  • 21#.##5.58.226:8060
  • 21#.##5.58.226:8090
  • 21#.##5.58.226:3000
  • 21#.##5.58.226:3749
  • 85.##9.43.75:80
  • 85.##9.43.75:81
  • 85.###.43.75:8080
  • 85.###.43.75:8081
  • 85.##9.43.75:88
  • 85.###.43.75:8001
  • 85.###.43.75:1080
  • 85.##9.43.75:82
  • 85.###.43.75:8443
  • 85.##9.43.75:83
  • 85.##9.43.75:84
  • 85.###.43.75:8060
  • 85.###.43.75:8090
  • 85.###.43.75:3000
  • 85.###.43.75:3749
  • 21#.##5.228.42:80
  • 21#.##5.228.42:81
  • 21#.##5.228.42:8080
  • 21#.##5.228.42:8081
  • 21#.##5.228.42:88
  • 21#.##5.228.42:8001
  • 21#.##5.228.42:1080
  • 21#.##5.228.42:82
  • 21#.###.228.42:10000
  • 21#.##5.228.42:8443
  • 21#.##5.228.42:8880
  • 21#.##5.228.42:83
  • 21#.##5.228.42:84
  • 21#.##5.228.42:8060
  • 21#.##5.228.42:8090
  • 21#.##5.228.42:3000
  • 21#.##5.228.42:3749
  • 21#.##6.0.186:80
  • 21#.##6.0.186:81
  • 21#.##6.0.186:8080
  • 21#.##6.0.186:8081
  • 21#.##6.0.186:88
  • 21#.##6.0.186:8001
  • 21#.##6.0.186:1080
  • 21#.##6.0.186:82
  • 21#.##6.0.186:10000
  • 21#.##6.0.186:8443
  • 21#.##6.0.186:8880
  • 21#.##6.0.186:83
  • 21#.##6.0.186:84
  • 21#.##6.0.186:8060
  • 21#.##6.0.186:8090
  • 21#.##6.0.186:3000
  • 21#.##6.0.186:3749
  • 10#.##.233.78:80
  • 10#.##.233.78:81
  • 10#.##.233.78:8081
  • 10#.##.233.78:88
  • 10#.##.233.78:1080
  • 10#.##.233.78:82
  • 10#.##.233.78:10000
  • 10#.##.233.78:8443
  • 10#.##.233.78:8880
  • 10#.##.233.78:83
  • 10#.##.233.78:84
  • 10#.##.233.78:8060
  • 10#.##.233.78:8090
  • 10#.##.233.78:3000
  • 10#.##.233.78:3749
  • 10#.##5.77.113:80
  • 10#.##5.77.113:81
  • 10#.##5.77.113:8080
  • 10#.##5.77.113:8081
  • 10#.##5.77.113:88
  • 10#.##5.77.113:8001
  • 10#.##5.77.113:1080
  • 10#.##5.77.113:82
  • 10#.###.77.113:10000
  • 10#.##5.77.113:8443
  • 10#.##5.77.113:8880
  • 10#.##5.77.113:83
  • 10#.##5.77.113:84
  • 10#.##5.77.113:8060
  • 10#.##5.77.113:8090
  • 10#.##5.77.113:3000
  • 10#.##5.77.113:3749
  • 11#.##.254.40:80
  • 11#.##.254.40:81
  • 11#.##.254.40:8080
  • 11#.##.254.40:8081
  • 11#.##.254.40:88
  • 11#.##.254.40:8001
  • 11#.##.254.40:1080
  • 11#.##.254.40:82
  • 11#.##.254.40:10000
  • 11#.##.254.40:8443
  • 11#.##.254.40:8880
  • 11#.##.254.40:83
  • 11#.##.254.40:84
  • 11#.##.254.40:8060
  • 11#.##.254.40:8090
  • 11#.##.254.40:3000
  • 11#.##.254.40:3749
  • 20#.##2.171.137:80
  • 20#.##2.171.137:81
  • 20#.###.171.137:8080
  • 20#.###.171.137:8081
  • 20#.##2.171.137:88
  • 20#.###.171.137:8001
  • 20#.###.171.137:1080
  • 20#.##2.171.137:82
  • 20#.###.171.137:10000
  • 20#.###.171.137:8443
  • 20#.###.171.137:8880
  • 20#.##2.171.137:83
  • 20#.##2.171.137:84
  • 20#.###.171.137:8060
  • 20#.###.171.137:8090
  • 20#.###.171.137:3000
  • 20#.###.171.137:3749
  • 36.##.177.3:81
  • 36.##.177.3:8080
  • 36.##.177.3:8081
  • 36.##.177.3:88
  • 36.##.177.3:8001
  • 36.##.177.3:1080
  • 36.##.177.3:82
  • 36.##.177.3:10000
  • 36.##.177.3:8443
  • 36.##.177.3:8880
  • 36.##.177.3:83
  • 36.##.177.3:84
  • 36.##.177.3:8060
  • 36.##.177.3:8090
  • 36.##.177.3:3000
  • 36.##.177.3:3749
  • 10#.##.233.78:8001
  • 36.##.177.3:80
  • 10#.##.233.78:8080

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number