Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
- /etc/rc.local
Malicious functions:
Gains root privileges
Launches itself as a daemon
Manages services:
- systemctl start opendkim
- systemctl enable opendkim
- systemctl restart postfix
- systemctl start named
- systemctl enable named
- systemctl restart mysqld
- service mysqld restart
- systemctl restart mysqld.service
- systemctl enable mysqld
- systemctl restart httpd
- systemctl enable httpd
- systemctl stop sendmail
- systemctl disable sendmail
- systemctl restart dovecot
- systemctl enable dovecot
- systemctl enable postfix
- systemctl restart saslauthd
- systemctl enable saslauthd
- systemctl start pmta
- systemctl start pmtahttp
- systemctl enable pmta
- systemctl enable pmtahttp
- systemctl disable squid
- systemctl restart crond
- systemctl stop iptables
- systemctl stop ip6tables
- systemctl disable iptables
- systemctl disable ip6tables
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- rm -rf /root/install.sh
- mkdir -p /root/mailamigos-scripts/backup-local/.Originais
- ip a
- grep inet
- cut -f1 -d/
- awk {print $2}
- grep -v ^127.[0-9]
- grep -v ^192.168.[0-9]
- grep -v ^10.[0-9]
- grep -v ^172.16.[0-9]
- cat /root/mailamigos-scripts/ips.info
- head -1 /root/mailamigos-scripts/ips.info
- wc -l
- rm -rf /etc/localtime
- ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
- date
- md5sum
- cut -c -12
- base64
- useradd
- chpasswd
- mkdir /home//websites
- chmod 755 /home// -R
- chown : /home// -R
- useradd return -s /sbin/nologin
- nscd -i passwd
- nscd -i group
- useradd fbl
- useradd abuse
- useradd reply
- useradd postmaster
- mv /etc/named.conf /etc/named.conf-bkp
- date +%Y%m%d%H%M%S
- cut -f1-3 -d.
- sort /tmp/ips.info
- uniq
- sed -i s/^/ip4:/ /tmp/spfconfig.info
- sed -i s/$/.0\/24 / /tmp/spfconfig.info
- sed -i :a;$!N;s/\n//;ta; /tmp/spfconfig.info
- cat /tmp/spfconfig.info
- mv /etc/opendkim/keys/default.private /tmp/dkim-default
- cat /etc/opendkim/keys/default.txt
- mv .db /var/named/.db
- chown root:named /var/named/.db
- mv /etc/opendkim.conf /etc/opendkim.conf.orig
- cat
- sleep 0.5
- mv /etc/my.cnf /etc/my.cnf-bkp
- mv /mailamigos/repositories/*.sql /root/mailamigos-scripts/backup-local/.Originais/
- mv /etc/php.ini /etc/php.ini-bkp
- mv /mailamigos/repositories/ioncube_loader_lin_5.6.so /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
- chmod 777 /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
- mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-bkp
- rm -rf /var/www/html
- mkdir /var/www/avex
- unzip -q /mailamigos/repositories/interspire-2015.zip -d /var/www/avex
- mv /mailamigos/repositories/interspire-2015.zip /root/mailamigos-scripts/backup-local/.Originais/interspire-2015.zip
- cp -r /var/www/avex/newfast-import/includes/conexao/conecta.php /var/www/avex/importacao/conecta.php
- chmod 777 /var/www/avex/admin/com/storage/ -R
- chmod 777 /var/www/avex/admin/addons/ -R
- chmod 777 /var/www/avex/admin/temp/ -R
- chmod 777 /var/www/avex/newfast-import/ -R
- chmod 777 /var/www/avex/importacao/ -R
- chmod 777 /var/www/avex/admin/includes/config.php
- sed -i 177d /etc/squirrelmail/config.php
- sed -i 1
- mv /etc/httpd/conf.d/phpMyAdmin.conf /etc/httpd/conf.d/phpMyAdmin.conf-bkp
- chown apache:apache /var/www/ -R
- mv /etc/postfix/main.cf /etc/postfix/main.cf-bkp
- mv /etc/postfix/master.cf /etc/postfix/master.cf-bkp
- mv /etc/sysctl.conf /etc/sysctl.conf-bkp
- /usr/sbin/postalias /etc/aliases
- mkdir /etc/ssl/private
- openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/private/pmta..cert -keyout /etc/ssl/private/pmta..key -subj /C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=
- cat /etc/ssl/private/pmta..cert /etc/ssl/private/pmta..key
- yes
- cp -fr /mailamigos/patch/* /
- expr 1 * 5
- expr 1 *
- cat /tmp/ipspmtacfg.info
- mv /tmp/dkim-default /etc/pmta/-dkim.key
- chown pmta:pmta /etc/pmta/ -R
- mv /etc/squid/squid.conf /etc/squid/squid.conf-bkp
- cat /etc/squid/squid.conf-bkp
- sed -i s/http_access deny all/http_access allow all/ /etc/squid/squid.conf
- sed -i s/http_port 3128/http_port 54321/ /etc/squid/squid.conf
- mv /etc/ssh/sshd_config /etc/ssh/sshd_config-bkp
- cp /mailamigos/mailamigos-scripts/monitoring.sh /root/mailamigos-scripts/monitoring.sh
- cp /mailamigos/mailamigos-scripts/rbl-2015.info /root/mailamigos-scripts/rbl-2015.info
- cp /mailamigos/mailamigos-scripts/changeip.sh /root/mailamigos-scripts/changeip.sh
- chmod 755 /root/mailamigos-scripts/ -R
- cat /tmp/croncria
- crontab -
- mv /etc/rc.local /etc/rc.local-bkp
- mv /etc/rc.d/rc.local /etc/rc.d/rc.local-bkp
- rm -rf /root/mailamigosv5.zip
- rm -rf /mailamigos
- ln -s /etc/rc.local /etc/rc.d/rc.local
- chmod +x /etc/rc.local
- chmod +x /etc/rc.d/rc.local
- cat /var/named/.db
- cat /root/mailamigos-scripts/Readme.info
- mail -s MailAmigos.com Installation license@mailamigos.com
- /usr/sbin/sendmail send-mail -i -- license@mailamigos.com
- /usr/sbin/exim4 -Mc 1lOR9C-0000Fm-Eq
- /usr/sbin/exim4 #-E1lOR9C-0000Fm-Eq
- /usr/sbin/exim4 -Mc 1lOR9D-0000Fq-2U
Performs operations with the file system:
Modifies file access rights:
- /home
- /home/websites
- /home/user
- /home/user/.bashrc
- /home/user/.bash_logout
- /home/user/.profile
- /etc/passwd+
- /etc/shadow+
- /etc/group+
- /etc/gshadow+
- /etc/subuid+
- /etc/subgid+
- /etc/nshadow
- /tmp/seddgbvc7
- /tmp/sedWuahDe
- /tmp/sedEGmEsm
- /root/.rnd
- /root/mailamigos-scripts
- /root/mailamigos-scripts/backup-local
- /root/mailamigos-scripts/backup-local/.Originais
- /root/mailamigos-scripts/sendinguser.info
- /root/mailamigos-scripts/monitoringemail.info
- /root/mailamigos-scripts/domain.info
- /root/mailamigos-scripts/ipspeed.info
- /root/mailamigos-scripts/ips.info
- /root/mailamigos-scripts/sqlpass.info
- /root/mailamigos-scripts/licenseemail.info
- /root/mailamigos-scripts/sendinguserpass.info
- /root/mailamigos-scripts/reversedns.info
- /var/spool/cron/crontabs/tmp.YLc8gK
- /etc/rc.local
- /var/spool/exim4/input/1lOR9C-0000Fm-Eq-D
- /var/spool/exim4/input/hdr.978
- /var/spool/exim4/msglog/1lOR9C-0000Fm-Eq
- /var/spool/exim4/input/1lOR9D-0000Fq-2U-D
- /var/spool/exim4/input/hdr.982
- /var/spool/exim4/input/hdr.980
- /var/spool/exim4/msglog/1lOR9D-0000Fq-2U
- /var/spool/exim4/input/1lOR9D-0000Fq-2U-J
- /var/mail/user
Creates folders:
- /root/mailamigos-scripts
- /root/mailamigos-scripts/backup-local
- /root/mailamigos-scripts/backup-local/.Originais
- /home/websites
Creates symlinks:
- /etc/localtime
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/shadow.lock
- /var/mail/user.lock
Creates or modifies files:
- /root/mailamigos-scripts/ips.info
- /etc/resolv.conf
- /etc/sysconfig/clock
- /root/mailamigos-scripts/licenseemail.info
- /root/mailamigos-scripts/domain.info
- /proc/sys/kernel/hostname
- /root/mailamigos-scripts/reversedns.info
- /root/mailamigos-scripts/sqlpass.info
- /root/mailamigos-scripts/sendinguser.info
- /root/mailamigos-scripts/sendinguserpass.info
- /etc/.pwd.lock
- /etc/passwd.744
- /etc/group.744
- /etc/gshadow.744
- /etc/subuid.744
- /etc/subgid.744
- /etc/shadow.744
- /var/log/faillog
- /var/log/lastlog
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /etc/nshadow
- /etc/passwd.752
- /etc/group.752
- /etc/gshadow.752
- /etc/subuid.752
- /etc/subgid.752
- /etc/shadow.752
- /etc/passwd.760
- /etc/group.760
- /etc/gshadow.760
- /etc/subuid.760
- /etc/subgid.760
- /etc/shadow.760
- /etc/passwd.768
- /etc/group.768
- /etc/gshadow.768
- /etc/subuid.768
- /etc/subgid.768
- /etc/shadow.768
- /etc/passwd.776
- /etc/group.776
- /etc/gshadow.776
- /etc/subuid.776
- /etc/subgid.776
- /etc/shadow.776
- /root/mailamigos-scripts/monitoringemail.info
- /root/mailamigos-scripts/ipspeed.info
- /etc/named.conf
- /root/mailamigos-scripts/backup-local/.db
- /root/.db
- /tmp/ips.info
- /tmp/spfconfig.info
- /tmp/seddgbvc7
- /tmp/sedWuahDe
- /tmp/sedEGmEsm
- /var/named/chroot/etc/named.rfc1912.zones
- /etc/opendkim.conf
- /tmp/sh-thd-198425094
- /etc/opendkim/KeyTable
- /etc/opendkim/SigningTable
- /etc/opendkim/TrustedHosts
- /etc/my.cnf
- /etc/php.ini
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d/.conf
- /var/www/avex/admin/includes/config.php
- /var/www/avex/newfast-import/includes/conexao/conecta.php
- /mailamigos/mailamigos-scripts/maintenance.sh
- /var/www/index.html
- /etc/squirrelmail/config.php
- /etc/httpd/conf.d/phpMyAdmin.conf
- /etc/dovecot/dovecot.conf
- /etc/dovecot/conf.d/10-mail.conf
- /etc/dovecot/conf.d/20-pop3.conf
- /etc/dovecot/conf.d/10-master.conf
- /etc/dovecot/conf.d/10-auth.conf
- /etc/postfix/main.cf
- /etc/postfix/master.cf
- /etc/sysctl.conf
- /root/.rnd
- /etc/ssl/private/pmta..key
- /etc/ssl/private/pmta..pem
- /etc/security/limits.conf
- /tmp/ipspmtacfg.info
- /etc/pmta/config
- /tmp/arqpmtaconfig2.info
- /tmp/arqpmtaconfig3.info
- /etc/squid/squid.conf
- /etc/logrotate.d/squid
- /etc/ssh/sshd_config
- /tmp/croncria
- /var/spool/cron/crontabs/tmp.YLc8gK
- /etc/rc.local
- /root/.bashrc
- /root/mailamigos-scripts/Readme.info
- /tmp/mail.RsXXXXiK6SSc
- /tmp/mail.RsXXXXiK6SSc (deleted)
- /tmp/mail.RsXXXXdVd662
- /tmp/mail.RsXXXXdVd662 (deleted)
- /var/spool/exim4/input//1lOR9C-0000Fm-Eq-D
- /var/spool/exim4/input/1lOR9C-0000Fm-Eq-D
- /var/spool/exim4/input//hdr.978
- /var/spool/exim4/input/hdr.978
- /var/spool/exim4/msglog//1lOR9C-0000Fm-Eq
- /var/spool/exim4/msglog/1lOR9C-0000Fm-Eq
- /var/log/exim4/mainlog
- /var/spool/exim4/db/retry.lockfile
- /var/spool/exim4/input//1lOR9D-0000Fq-2U-D
- /var/spool/exim4/input/1lOR9D-0000Fq-2U-D
- /var/spool/exim4/input//hdr.982
- /var/spool/exim4/input/hdr.982
- /var/spool/exim4/msglog//1lOR9D-0000Fq-2U
- /var/spool/exim4/msglog/1lOR9D-0000Fq-2U
- /var/spool/exim4/input//hdr.980
- /var/spool/exim4/input/hdr.980
- /var/spool/exim4/input//1lOR9D-0000Fq-2U-J
- /var/mail/user.lock..6058fdb7.000003da
- /var/mail/user
- /var/spool/exim4/input/1lOR9D-0000Fq-2U-J
Deletes files:
- /root/install.sh
- /etc/localtime
- /etc/passwd.744
- /etc/group.744
- /etc/gshadow.744
- /etc/subuid.744
- /etc/subgid.744
- /etc/shadow.744
- /etc/shadow.lock
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/passwd.752
- /etc/group.752
- /etc/gshadow.752
- /etc/subuid.752
- /etc/subgid.752
- /etc/shadow.752
- /etc/passwd.760
- /etc/group.760
- /etc/gshadow.760
- /etc/subuid.760
- /etc/subgid.760
- /etc/shadow.760
- /etc/passwd.768
- /etc/group.768
- /etc/gshadow.768
- /etc/subuid.768
- /etc/subgid.768
- /etc/shadow.768
- /etc/passwd.776
- /etc/group.776
- /etc/gshadow.776
- /etc/subuid.776
- /etc/subgid.776
- /etc/shadow.776
- /tmp/sh-thd-198425094
- /var/www/html
- /root/mailamigosv5.zip
- /mailamigos
- /tmp/mail.RsXXXXiK6SSc
- /tmp/mail.RsXXXXdVd662
- /var/spool/exim4/msglog//1lOR9C-0000Fm-Eq
- /var/spool/exim4/input//1lOR9C-0000Fm-Eq-D
- /var/spool/exim4/input//1lOR9C-0000Fm-Eq-H
- /var/spool/exim4/input//1lOR9C-0000Fm-Eq-J
- /var/mail/user.lock..6058fdb7.000003da
- /var/mail/user.lock
- /var/spool/exim4/msglog//1lOR9D-0000Fq-2U
- /var/spool/exim4/input//1lOR9D-0000Fq-2U-D
- /var/spool/exim4/input//1lOR9D-0000Fq-2U-H
- /var/spool/exim4/input//1lOR9D-0000Fq-2U-J
Other:
Collects CPU information
Collects RAM information
