Linux-based virus data

Source: Internet
Author: User
Tags valid email address drupal perl script microsoft iis
Linux-based virus data-general Linux technology-Linux technology and application information. For more information, see the following section. Although there are not many viruses spread in linux, there are also some. I have collected some information from some security sites for your reference:
Bytes -------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Slapper. Worm
Category: Worm
Virus data: infected system: Linux

Unaffected systems: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, and Macintosh

Virus Propagation:

Port 80,443,200 2

Target of Infection: Apache Web servers on Linux systems of various versions

Technical Features:

The worm tries to continuously connect to port 80 and sends invalid "GET" requests to the server to identify the Apache system. Once Apache is found, it connects to port 443 and sends malicious code to the listening SSL Service on the remote system.

This worm exploits the Linux Shell code to run only on Intel systems. The code must have shell command/bin/sh to be correctly executed. Worms use the UU encoding method to first encode the virus source code ". bugtraq. c "(so that only the" ls-a "command can display this code file), and then send it to the remote system to decode the file. Then, it will use gcc to compile the file and run the compiled binary file ". bugtraq". These files will be stored in the/tmp directory.

When the worm is running, IP addresses are used as its parameters. These IP addresses are the addresses of the machines used for hacker attacks. Worms use them to establish a network that uses infected machines to launch DoS attacks. Each infected system listens to UDP port 2002 to receive hacker commands.

The worm uses a fixed IP address suffixed with the following numbers to attack Apache:

3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 68, 80, 81,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239
Bytes -------------------------------------------------------------------------------------------------------------

Virus Name:
Trojan. Linux. Typot.
Category: Trojan
Virus data: destruction method:

The virus is a trojan in the Linux operating system. After the trojan is run, a TCP packet is sent every few seconds. The destination IP address and source IP address are random. This packet has fixed characteristics, including TCP window size <在这里为55808> At the same time, the virus will sniff the network. If the TCP packet's window size is found to be 55808, a file will be generated in the current directory. <文件名为:r> Every 24 hours, the virus detects whether the file "r" exists. If yes, it tries to connect to a fixed IP address. <可能为木马的客户端> If the connection is successful, the virus will delete the file:/tmp/.../a and exit.
Bytes -------------------------------------------------------------------------------------------------------------
Virus Name:
Trojan. Linux. Typot. B type: Trojan
Virus data: destruction method:

The virus is a trojan in the Linux operating system. After the trojan is run, a TCP packet is sent every few seconds. The destination IP address and source IP address are random. This packet has fixed characteristics, including TCP window size <在这里为55808> At the same time, the virus will sniff the network. If the TCP packet's window size is found to be 55808, a file will be generated in the current directory. <文件名为:r> Every 24 hours, the virus detects whether the file "r" exists. If yes, it tries to connect to a fixed IP address. <可能为木马的客户端> If the connection is successful, the virus will delete the file:/tmp/.../a and exit.
Bytes ------------------------------------------------------------------------------------------------------------

Virus Name:
W32/Linux. Bi type: WL Virus
Virus data: W32/Linux. bi is a cross-platform virus with a length of 1287 bytes. It is infected with Linux, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP, it infected executable files in the current directory according to the operating system type. When the virus is received or opened, the following symptoms occur:

A is infected with executable files with A length of 4 K and 4 m in the current directory (not infected with dll files in windows)
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Plupii. C type: Linux Virus
Virus data: Linux. Plupii. C is a Linux virus with a length of 40 to bytes. It is infected with Linux, Novell Netware, and UNIX systems. It is spread through system vulnerabilities:

A opens A backdoor on UDP port 27015, allowing hackers to remotely control the computer
B. generate an IP address and add the following URL
/Cvs/
/Articles/mambo/
/Cvs/mambo/
/Blog/xmlrpc. php
/Blog/xmlsrv/xmlrpc. php
/Blogs/xmlsrv/xmlrpc. php
/Drupal/xmlrpc. php
/Phpgroupware/xmlrpc. php
/Wordpress/xmlrpc. php
/Xmlrpc. php
C. Send an http request to the address above and try to spread the request through the following vulnerability:
PHP XML-RPC remote injection attack (see vulnerability list ID 14088)
Http://www.securityfocus.com/bid/14088)
Determine the vulnerability by entering the parameters of the AWStats log plug-in (see vulnerability list ID 10950 .)
Http://www.securityfocus.com/bid/10950)
Darryl Remote Command Execution Vulnerability (See Vulnerability list ID 13930
Http://www.securityfocus.com/bid/13930)
D. When a computer with a vulnerability is found, the virus uses the vulnerability to download the script file from 198.170.105.69 to the computer with the vulnerability and execute
E. download the following virus to the/tmp/. temp directory to infect your computer.
Cb (virus Linux. Plupii. B)
Https (Perl script backdoor virus)
Ping.txt (Perl script shell backdoor virus .)
Httpd
F. Try to connect TCP port 8080 of the specified address and open a shell backdoor.
G Open the IRC backdoor and connect to the following IRC server
Eu.undernet.org
Us.undernet.org
195.204.1.130
194.109.000090
Virus searches for channels containing lametrapchan strings and waits for hacker commands
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Mare type: Linux Virus
Virus information: the virus is variable in length and infected with Linux. It is spread through the phpbb_root_path vulnerability in PHP and opens a backdoor for hackers to download and execute remote files. When infected with the virus, the following dangers occur:

A open A backdoor to connect to the following servers
81.223.104.152
24.224.174.18
B. Accept and execute the following commands from remote hackers:
Update virus
Execute Command
Stop viruses
C. download and execute the remote file listen from the above server
D. download and execute the remote update file update. listen.
E. record information to the file listen. log
F scan phpbb_root_path vulnerability in PHP
G. Run the following command on the computer that is scanned: http: // 209.136.48.69/[deleted]/cvac
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Plupii type: Linux Virus
Virus information: the virus is 34,724 bytes in length and is infected with Linux systems. The virus is exploited to spread through WEB servers and opens a backdoor for hackers to operate. When the virus is received or opened, there are the following dangers:

A sends A notification to remote hackers through UPD port 7222.
B. Open the backdoor for hacker operation
C. Generate a URL containing the following content
/Cgi-bin/
/Scgi-bin/
/Awstats/
/Cgi-bin/awstats/
/Scgi-bin/awstats/
/Cgi/awstats/
/Scgi/awstats/
/Scripts/
/Cgi-bin/stats/
/Scgi-bin/stats/
/Stats/
/Xmlrpc. php
/Xmlrpc. php
/Xmlsrv/xmlrpc. php
/Blog/xmlrpc. php
/Drupal/xmlrpc. php
/Community/xmlrpc. php
/Blogs/xmlrpc. php
/Blogs/xmlsrv/xmlrpc. php
/Blog/xmlsrv/xmlrpc. php
/Blogtest/xmlsrv/xmlrpc. php
/B2/xmlsrv/xmlrpc. php
/B2evo/xmlsrv/xmlrpc. php
/Wordpress/xmlrpc. php
/Phpgroupware/xmlrpc. php
/Cgi-bin/container der. cgi
/Scgi-bin/container der. cgi
/Der. cgi
/Cgi-bin/include/Der. cgi
/Scgi-bin/include/Der. cgi
/Cgi-bin/inc/container der. cgi
/Scgi-bin/inc/container der. cgi
/Cgi-local/container der. cgi
/Scgi-local/container der. cgi
/Cgi/Der. cgi
/Scgi/container der. cgi
/Hints. pl
/Cgi/hints. pl
/Scgi/hints. pl
/Cgi-bin/hints. pl
/Scgi-bin/hints. pl
/Hints. pl
/Cgi-bin/hints. pl
/Scgi-bin/hints. pl
/Webhints/hints. pl
/Cgi-bin/webhints/hints. pl
/Scgi-bin/webhints/hints. pl
/Hints. cgi
/Cgi/hints. cgi
/Scgi/hints. cgi
/Cgi-bin/hints. cgi
/Scgi-bin/hints. cgi
/Hints. cgi
/Cgi-bin/hints. cgi
/Scgi-bin/hints. cgi
/Webhints/hints. cgi
/Cgi-bin/webhints/hints. cgi
/Scgi-bin/webhints/hints. cgi

D. Use the URL generated above to send an http request and try to use the following WEB vulnerability to spread
PHP Remote Overflow Vulnerability XML-RPC (ID 14088)
AWStats Rawlog plug-in log file input Vulnerability (ID 10950)
Darryl burgdlf Webhints Remote Execution Vulnerability (ID 13930)
F. Try to download the execution virus from http: // 62.101.193.244/[deleted]/lupii.
G. Save the downloaded virus to/tmp/lupii.
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Jac.8759 type: Linux Virus
Virus data: infection length: 8759 bytes

Virus Description: Linux. Jac.8759 is a virus specially infected with files in Linux. It can infect all executable files suffixed with ELF in the same directory.

Technical Features: When Linux. Jac.8759 is executed, it detects all files in the same directory. If an executable file with write permission is found, it is infected. However, the virus does not infect files ending with a letter ps or files on the X86 (Intel) platform.

The virus modifies the header of the infected file. One of the modifications is used as the infection mark, so that the virus does not feel the same file multiple times.
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Mighty. worm category: Unix/Linux worms
Virus data: technical features:

This is a Linux worm, similar to the Slapper that appeared some time ago.

Machine for propagation. Once an infected machine is found, the worm uses the buffer overflow vulnerability of the OpenSSL server (port 443) to execute remote shell commands. For more information about this vulnerability, visit http://www.kb.cert.org/vuls/id/102795.

The worm consists of four files:

1. script. sh: the initial shell script used to download, compile, and execute other components;

2. devnul: 32-bit x86 ELF executable file, about 19050 bytes. It is the main part of the worm used to scan the Internet;

3. sslx. c: the source code file with the OpenSSL vulnerability is compiled by script. sh for devnul;

4. k: 32-bit x86 ELF executable file, about 37237 bytes. It is the Linux port of the kaiten backdoor program and Ddos tool.

When the initial shell program (script. sh. c) compile it into a binary file sslx, then execute the Kaiten backdoor program (K) and run the devnul file. Devnul scans machines with vulnerabilities on the Internet. Once an unpatched machine is found, it runs the buffer overflow vulnerability code in the sslx program.

Once the worm enters a new system and runs successfully on the system, it downloads and executes the shell script (script. sh), so that the self-propagation process of the worm is completed.
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Simile type: Win32 Virus
Virus data: infection length: Variable

Hazard level: low

Affected Systems: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Linux

Unaffected systems: Windows, Microsoft IIS, Macintosh, Unix

Technical Features:

This is a very complex virus. It uses the fuzzy entry endpoint, deformation and polymorphism encryption technology, and is also the first multi-state deformation virus that can be infected on Windows and Linux platforms. It does not contain destructive loads, but after a file is infected, a dialog box will pop up on a specific date, which is annoying. The virus is the fourth variant of the Simile family. It introduces a new infection mechanism on the Intel Linux platform that can infect 32-bit ELF files (standard Unix binary format ). This virus can infect PE and ELF files in Linux and Win32 systems.

After the virus runs for the first time, it checks the current system date. If the main file to which the virus is attached is a PE file, and the following message is displayed on May 1, March or May 10, September 17:
If the main file is in the ELF format, the virus will output a text message similar to the following to the control panel on April 8, March 17 or April 8, May 14:

The virus has been confirmed to be infected with files in Red Hat Linux6.2, 7.0, and 7.2 versions, and is highly likely to be infected in other versions. The number of infected files increases by KB On average, but the increasing number of bytes varies with the virus deformation engine's shrinking or expansion and insertion methods.
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Slapper. B type: Unix/Linux Worm
Virus data: hazard level: Medium

Propagation Speed: Medium

Technical Features:

This is a network worm infected with Linux systems. It is similar to the original Linux. Slapper. A, but it has some new features. It searches for the system running the Apache server. Once an infected machine is found, it uses the buffer overflow vulnerability of the Openssl server to execute remote shell commands. For more information about this vulnerability, browse: http://www.kb.cert.org/vuls/id/102795

When this variant is transmitted, it will carry its own source code and then compile it on each affected machine to make it an executable file. The file name of the virus source code is ". cinik. c, will be copied to the "/tmp" directory, and the compiled file is called ". cinik ", which is stored in the same directory and serves as the UUEncoded version of the source code. This variant also contains a shell script/tmp/. cinik. go, which is used to search for files in the infected system and then overwrite the searched files with the binary code of the worm. The script also sends information about the local machine and network to an email address suffixed with yahoo.com.

If the virus source file/tmp/cinik. c is deleted by the user, it downloads a copy of the source file from a site, and the file name is also called cinik. c.

In addition, the infected system runs a backdoor server program on UDP port 1978. Similar to all Backdoor programs, the server responds to special commands sent by remote unauthorized users to execute different operations according to the commands, for example, one command searches for email addresses on infected machines.

It scans all files in all directories (except the three special Pearl directories/proc,/dev and/bin) to find a valid email address. The strings ". hlp" and the same addresses as the "webmaster@mydomain.com" are ignored, and all other email addresses are sent as a clear single IP address to the IP address specified at the beginning by the remote user.

In addition, remote unauthorized users may send other commands, such:

1. DOS attacks (TCP or UDP );

2. enable or disable the TCP proxy (port 1080 );

3. execute any program;

4. Obtain the names of other infected servers;

When scanning machines with vulnerabilities, this variant checks IP addresses in the following format:

A. B. 0-255.0-255

B is an arbitrary number between 0 and 255;

A is A random number selected from the following list:

3 4 6 8 9 11 12 13 14

15 16 17 18 19 20 21 22 24

25 26 28 29 30 32 33 34 35

38 40 43 44 45 46 48 49

50 51 52 53 54 55 56 57 61

62 63 64 65 66 67 68 80 81

128 129 130 131 132 133 134 135

137 138 139 140 141 142 143 144

146 147 148 149 150 151 152 153

155 156 157 170 171 172 173 174

176 177 178 179 180 181 182 183

185 186 187 188 189 190 191 192

194 195 196 198 200 201 202 203

205 206 207 208 209 210 211 212

214 215 216 217 218 219 220 224

226 227 228 229 230 231 232 233

235 236 237 238 239
Bytes ------------------------------------------------------------------------------------------------------------
Virus Name:
Linux. Slapper. C type: Unix/Linux Worm
Virus data: technical features:

This is a network worm infected with Linux systems. It is similar to the original Linux. Slapper. A, but it has some new features. It searches for the system running the Apache server. Once an infected machine is found, it uses the buffer overflow vulnerability of the Openssl server to execute remote shell commands. For more information about this vulnerability, browse: http://www.kb.cert.org/vuls/id/102795

When this variant is transmitted, it will carry its own source code, and then compile two executable programs on each affected machine ". unlock. c "and" update. c ", they are all created under the"/tmp "directory. The first compiled executable program is called "httpd" and is located in the same directory. The second executable file "update" listens to port 1052. When the input is correct, Frethem/index.htm "target =" _ blank "style = 'text-decoration: underline; color: # 0000FF '> after the password, it will allow a large number of interactive shell commands to pass through. In addition, this variant also sends the Host Name and IP address of the infected machine to the specified email address.

Like Slapper. A And Slapper. same as B, Slapper. A c-infected system will run a backdoor server program on UDP port 4156. The server will respond to special commands sent by remote unauthorized users, so as to execute various operations according to the commands, for example, a command searches for email addresses on infected machines.

It scans all files in all directories (except the three special directories/proc,/dev and/bin) to find a valid email address. The strings ". hlp" and the same addresses as the "webmaster@mydomain.com" are ignored, and all other email addresses are sent as a clear single IP address to the IP address specified at the beginning by the remote user.

In addition, remote unauthorized users may send other commands, such:

1. DOS attacks (TCP or UDP );

2. enable or disable the TCP proxy (port 1080 );

3. execute any program;

4. Obtain the names of other infected servers;

When scanning machines with vulnerabilities, this variant checks IP addresses in the following format:

A. B. 0-255.0-255

B is an arbitrary number between 0 and 255;

A is A random number selected from the following list:

3 4 6 8 9 11 12 13 14

15 16 17 18 19 20 21 22 24

25 26 28 29 30 32 33 34 35

38 40 43 44 45 46 48 49

50 51 52 53 54 55 56 57 61

62 63 64 65 66 67 68 80 81

128 129 130 131 132 133 134 135

137 138 139 140 141 142 143 144

146 147 148 149 150 151 152 153

155 156 157 170 171 172 173 174

176 177 178 179 180 181 182 183

185 186 187 188 189 190 191 192

194 195 196 198 200 201 202 203

205 206 207 208 209 210 211 212

214 215 216 217 218 219 220 224

226 227 228 229 230 231 232 233

235 236 237 238 239

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.