Know about Linux-based Trojan viruses

Source: Internet
Author: User
Tags perl script
Article Title: identify some Linux-based Trojan viruses. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Although there are not many Trojans spread in Linux, there are also some Trojans. I have collected some information from some security sites.
 
1. Virus Name:
 
Linux. Slapper. Worm
 
Category: Worm
 
Virus data: infected system: Linux
 
Unaffected systems: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, and Macintosh

Virus Propagation:
 
Port 80,443,200 2
 
Target of Infection: Apache Web servers on Linux systems of various versions
 
Technical Features:
 
The worm tries to continuously connect to port 80 and sends invalid "GET" requests to the server to identify the Apache system. Once Apache is found, it connects to port 443 and sends malicious code to the listening SSL Service on the remote system.
 
This worm exploits the Linux Shell code to run only on Intel systems. The code must have shell command/bin/sh to be correctly executed. Worms use the UU encoding method to first encode the virus source code ". bugtraq. c "(so that only the" ls-a "command can display this code file), and then send it to the remote system to decode the file. Then, it will use gcc to compile the file and run the compiled binary file ". bugtraq". These files will be stored in the/tmp directory.
 
When the worm is running, IP addresses are used as its parameters. These IP addresses are the addresses of the machines used for hacker attacks. Worms use them to establish a network that uses infected machines to launch DoS attacks. Each infected system listens to UDP port 2002 to receive hacker commands.
 
The worm uses a fixed IP address suffixed with the following numbers to attack Apache:
 
3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 68, 80, 81,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239
 
2. Virus Name:
 
Trojan. Linux. Typot.
 
Category: Trojan
 
Virus data: destruction method:
 
The virus is a trojan in the Linux operating system. After the trojan is run, a TCP packet is sent every few seconds. The destination IP address and source IP address are random. This packet has fixed characteristics, including TCP window size <在这里为55808> At the same time, the virus will sniff the network. If the TCP packet's window size is found to be 55808, a file will be generated in the current directory. <文件名为:r> Every 24 hours, the virus detects whether the file "r" exists. If yes, it tries to connect to a fixed IP address. <可能为木马的客户端> If the connection is successful, the virus will delete the file:/tmp /...... /A and exit
 
3. Virus Name:
 
Trojan. Linux. Typot. B type: Trojan
 
Virus data: destruction method:
 
The virus is a trojan in the Linux operating system. After the trojan is run, a TCP packet is sent every few seconds. The destination IP address and source IP address are random. This packet has fixed characteristics, including TCP window size <在这里为55808> At the same time, the virus will sniff the network. If the TCP packet's window size is found to be 55808, a file will be generated in the current directory. <文件名为:r> Every 24 hours, the virus detects whether the file "r" exists. If yes, it tries to connect to a fixed IP address. <可能为木马的客户端> If the connection is successful, the virus will delete the file:/tmp /...... /A and exit
 
4. Virus Name:
 
W32/Linux. Bi type: WL Virus
 
Virus data: W32/Linux. bi is a cross-platform virus with a length of 1287 bytes. It is infected with Linux, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP, it infected executable files in the current directory according to the operating system type. When the virus is received or opened, the following symptoms occur:
 
A is infected with executable files with A length of 4 K and 4 m in the current directory (not infected with dll files in windows)
 
5. Virus Name:
 
Linux. Plupii. C type: Linux Virus
 
Virus data: Linux. Plupii. C is a Linux virus with a length of 40 to bytes. It is infected with Linux, Novell Netware, and UNIX systems. It is spread through system vulnerabilities:
 
A opens A backdoor on UDP port 27015, allowing hackers to remotely control the computer
 
B. generate an IP address and add the following URL
 
/Cvs/
 
/Articles/mambo/
 
/Cvs/mambo/
 
/Blog/xmlrpc. php
 
/Blog/xmlsrv/xmlrpc. php
 
/Blogs/xmlsrv/xmlrpc. php
 
/Drupal/xmlrpc. php
 
/Phpgroupware/xmlrpc. php
 
/Wordpress/xmlrpc. php
 
/Xmlrpc. php
 
C. Send an http request to the address above and try to spread the request through the following vulnerability:
 
PHP XML-RPC remote injection attack (see vulnerability list ID 14088)
 
Http://www.securityfocus.com/bid/14088)
 
Determine the vulnerability by entering the parameters of the AWStats log plug-in (see vulnerability list ID 10950 .)
 
Http://www.securityfocus.com/bid/10950)
 
Darryl Remote Command Execution Vulnerability (See Vulnerability list ID 13930
 
Http://www.securityfocus.com/bid/13930)
 
D. When a computer with a vulnerability is found, the virus uses the vulnerability to download the script file from 198.170.105.69 to the computer with the vulnerability and execute
 
E. download the following virus to the/tmp/. temp directory to infect your computer.
 
Cb (virus Linux. Plupii. B)
 
Https (Perl script backdoor virus)
 
Ping.txt (Perl script shell backdoor virus .)
 
Httpd
 
F. Try to connect TCP port 8080 of the specified address and open a shell backdoor.
 
G Open the IRC backdoor and connect to the following IRC server
 
Eu.undernet.org
 
Us.undernet.org
 
195.204.1.130
 
194.109.000090
 
Virus searches for channels containing lametrapchan strings and waits for hacker commands
 

[1] [2] [3] Next page

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.