The code needs to have the shell command/bin/sh ability to execute correctly.
The worm exploits the UU encoding method, first encoding the virus source code into ". Bugtraq.c" (so that only the "ls-a" command can display this code file), and then send it to the remote system and decode the file.
It will then use GCC to compile the file. and executes the compiled binaries ". Bugtraq". These files will be stored in the/tmp folder.
The worm executes with an IP address as its number of parameters. These IP addresses are the addresses of the machines used by hackers to build a network of denial-of-service attacks using infected machines. Each infected system listens to the UDPport2002 to receive hacker instructions.
This worm exploits the Apache system with a fixed IP address that is suffixed with the following numbers, for example:
3. 4. 6, 8. 9. 11, 12, 13, 14, 15. 16. 17. 18, 19. 20. 21, 22, 24, 25. 26. 28. 29, 30. 32, 33, 34, 35. 38, 40. 43. 44. 45. 46, 47, 48, 49, 50, 51, 52. 53. 54, 55, 56. 57. 61. 62, 63, 64. 65, 66. 67, 68, 80. 81, 128. 129, 130. 131. 132, 133, 134, 135, 136, 137. 138, 139, 140. 141. 142, 143. 144, 145. 146, 147. 148, 149. 150, 151, 152, 153. 154, 155. 156. 157, 158, 159. 160, 161, 162, 163. 164, 165. 166, 167, 168, 169, 170. 171. 172, 173, 174, 175, 176, 177, 178, 179. 180, 181, 182, 183, 184, 185, 186. 187. 188, 189, 190, 191, 192, 193, 194, 195. 196, 198, 199. 200. 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225. 226, 227. 228. 229. 230, 231, 232, 233, 234. 235, 236, 237. 238. 239
2. Virus name:
Trojan.linux.typot.a
Category: Trojan virus
Virus data: Destruction method:
The virus is a Trojan horse under the Linux operating system, which sends a TCP packet every few seconds after the Trojan executes, and its destination IP and source IP address are random. There are fixed features in this package, including TCP window size < here for 55808> at the same time, the virus will sniff the network, assuming that the TCP Packet's window size equals 55808, a file is generated under the current folder < The file name is called:r>. Every 24 hours, the virus detects if there is a file "R", assuming it exists, will attempt to connect a fixed IP address < may be a Trojan client>. If the connection succeeds, the virus deletes the file:/tmp/....../a and exits
3. Virus Name:
TROJAN.LINUX.TYPOT.B Category: Trojan virus
Virus data: Destruction method:
The virus is a Trojan horse under the Linux operating system, and a TCP packet is sent every few seconds after the Trojan executes. The destination IP and the source IP address are random. There are fixed features in this package, including TCP window size < here for 55808> The virus will sniff the network, assuming that the TCP packet's window size equals 55808, a file < filename called:r> is generated under the current folder. Every 24 hours. The virus detects if there is a file "R", assuming it exists, will attempt to connect a fixed IP address < may be a Trojan client> if the connection succeeds, the virus will delete the file:/tmp/....../a and exit
4. Virus name:
W32/linux.bi Category: WL virus
Virus data: W32/linux.bi is a cross-platform virus with a length of 1287 bytes. Infected with Linux, Windows $, Windows 95. Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP operating systems. It infects the executable files of the current folder according to the operating system type.
When this virus is received and opened, the following behavior occurs:
A infects the running files that are between 4K and 4M in length under the current folder (does not infect DLL files under Windows)
5. Virus Name:
LINUX.PLUPII.C Category: Linux virus
Virus data: LINUX.PLUPII.C is a Linux virus with a virus length of 40. 7576 bytes. Infected with Linux, Novell Netware, UNIX system, which is spread through system vulnerabilities, the phenomenon of this virus infection is:
A in UDP Port 27015 open backdoor, consent to hackers remote control computer
B generates an IP address. Add the following content to generate the URL address
/cvs/
/articles/mambo/
/cvs/mambo/
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc/xmlrpc.php
C sends an HTTP request to the above address, attempting to propagate through the following vulnerability
PHP XML-RPC Remote injection Attack (see vulnerability list ID 14088
http://www.securityfocus.com/bid/14088)
Awstats log plug-in Parameter input determination Vulnerability (see vulnerability list ID 10950
http://www.securityfocus.com/bid/10950)
Darryl perimeter Remote Run command Vulnerability (see vulnerability list ID 13930
http://www.securityfocus.com/bid/13930)
D when a vulnerable computer is found, the virus exploits the vulnerability from 198.170.105.69DownloadScript file to a vulnerable computer and run
EDownloadThe following virus to the/tmp/.temp folder, infecting the computer
CB (Virus LINUX.PLUPII.B)
HTTPS (Perl script backdoor virus)
Ping.txt (Perl script Shell Backdoor virus.)
)
httpd
F attempt to connect to the reserved address of TCP port 8080, open a shell backdoor
G Open the IRC backdoor and connect the following IRC server
eu.undernet.org
us.undernet.org
195.204.1.130
194.109.20.90
Virus lookup Add channel containing Lametrapchan string, wait for hacker command
6. Virus Name:
Linux.mare Category: Linux virus
Virus data: The virus is variable in length, infects the Linux system, spreads through PHP's Phpbb_root_path vulnerability, and opens the backdoor for hackers to download and run remote files. When this virus is infected, there are the following hazards:
A dozen back door connect the following server
81.223.104.152
24.224.174.18
B accept and run a remote hacker release such as the following command
Update virus
Run command
Stop the virus
C run remote files from the above server download listen
D download Run Remote update file Update.listen
E record information to file Listen.log
F-Scan via PHP Phpbb_root_path vulnerability
G run the following command on the scanned computer http://209.136.48.69/[deleted]/cvac
7. Virus Name:
LINUX.PLUPII Category: Linux virus
Virus data: The virus length of 34,724 bytes, infected with the Linux system, the virus exploits webserver vulnerability spread, and open the backdoor for hackers, to when received, opened the virus, the following hazards:
A send a notification message to a remote hacker via UPDport7222
B Open the backdoor for hacker action
C generates a URL that includes the following content
/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi
D sends an HTTP request using the URL connection generated above, attempting to propagate using the following Web vulnerability
PHP Remote Overflow Vulnerability xml-rpc (ID 14088)
AWStats Rawlog Plugin log file Input Vulnerability (ID 10950)
Darryl Burgdorf webhints Remote Run Vulnerability (ID 13930)
F try Fromhttp://62.101.193.244/[deleted]/lupii download run virus
G save downloaded virus to/tmp/lupii
8. Virus Name:
linux.jac.8759 Category: Linux virus
Virus data: Infection Length: 8759 bytes
Virus Introduction: linux.jac.8759 is a virus that specifically infects files under the Linux system and can infect all executable files that are suffixed with the elf in its same folder.
Technical features: When linux.jac.8759 is run, it detects all files in its same folder. If you find a executable file with writable permissions, you will be infected.
Only, the virus does not infect files ending with the letter PS, nor does it infect files under the X86 platform.
The virus will change the number of places that are infected with the file header. One of these changes is used as an infection marker, which makes the virus not feel the same file multiple times.
9. Virus Name:
Linux.Mighty.worm Category: Unix/linux worm
Virus data: Technical features:
This is a Linux worm, similar to the slapper that occurred in the previous period, all with the help of the Linux implementation of Apacheserver software
Machine for transmission.
Once an infected machine is found, the worm uses a buffer overflow vulnerability of opensslserver (443port) to run remote shell instructions. For specific information about this vulnerability, you can browse http://www.kb.cert.org/vuls/id/102795.
The worm is made up of four files:
a.script.sh: The initial shell script to download, compile, and run other components.
B.devnul:32 bit x86 elf can run files, approximately 19050 bytes. It is the main part of the worm used to scan the Internet ;
C.SSLX.C: Using the source file of OpenSSL vulnerability, compiled by script.sh for Devnul use;
D.k:32 bit x86 elf can run files, approximately 37237 bytes. It is the linuxport of Kaiten backdoor programs and DDoS tools.
When the shell program (script.sh) executes, it downloads the three components of the worm and compiles the vulnerability code file (SSLX.C) into a binary SSLX, then executes the Kaiten backdoor (K) and executes the Devnul file.
While Devnul scans the Internet for a vulnerable machine, it executes the buffer overflow vulnerability code in the SSLX program once the unpatched machine is found.
Once the worm enters a new system and executes successfully on this system. It will download and execute the shell script (script.sh) so that the worm's self-reproduction process is complete.
10. Virus Name:
Linux.simile Category: Win32 virus
Virus data: Infection Length: variable
Hazard Level: Low
Affected systems: Windows 95. Windows 98, Windows NT, Windows $, Windows XP, Windows Me. Linux
Unaffected system: Windows. Microsoft IIS, Macintosh. Unix
Technical Features:
This is a very complex virus, using the fuzzy entry endpoint, deformation and polymorphism encryption technology, is also the first to be able to infect the Windows and Linux platform under the polymorphic variant virus. It does not contain destructive payloads, but is infected after the file. Will pop up a dialog box on a specific date, which makes you feel bored. The virus is the fourth variant of the Simile family, introducing a new infection mechanism under the Intel Linux platform that infects 32-bit ELF files (the standard UNIX binary format). This virus can infect the PE and elf files under Linux and Win32 systems.
After the virus first executes, it checks the current system date, and if the virus is attached to the main file is a PE file, and on the day of March or September 17, a message box will appear:
If the main file is in elf format, then in March 17 or May 14 This day, the virus will output a text message similar to the following for example to the control Panel:
The virus has been proven to infect red Hat Linux6.2, versions 7.0 and 7.2, and it is also highly likely to infect under other version numbers.
The infected file adds an average of 110K bytes, but the number of bytes grown varies depending on how the virus's warp engine shrinks or expands and how it is inserted.
11. Virus Name:
Linux.slapper.b Category: Unix/linux worm
Virus data: Hazard level: Medium
Propagation Speed: Medium
Technical Features:
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features. It searches the system that executes the apacheserver, once it finds the machine that can infect it. It uses the Opensslserver buffer overflow vulnerability to execute remote shell commands. For specific information about this vulnerability, please browse: http://www.kb.cert.org/vuls/id/102795
When the variant is propagated, it will carry its own source code and compile it on each victim machine. Make it a running file. The virus source file name is called ". Cinik.c ", it is copied to the"/tmp "folder, and its compiled file is called". Cinik ", stored in the same folder. And as the source code of the Uuencoded version number. This variant also contains a shell script/tmp/.cinik.go that searches for files on the infected system, and then overwrites the searched files with the worm's two code.
The script also sends information about the local machine and the network to a mail address with a suffix of yahoo.com.
If the virus source file/tmp/cinik.c was deleted by the user. It downloads a copy of the source file from a Web site. The file name is also called CINIK.C.
In addition, the infected system executes a backdoor server program on UDP 1978port. Similar to all backdoor procedures. The server side responds to special instructions sent by the remote unauthorized user to perform a variety of operations according to the instructions, such as. One of the instructions is to search for the email address on the infected machine.
It will scan all folders (three special beads folder/proc. All files except for/dev and/bin). To find a valid e-mail address. And that contains the string ". HLP "and" [email protected] "The same address is ignored, and all other e-mail addresses are sent as a list to the IP address that the remote user initially specified.
In addition, remote unauthorized users may also send other instructions. Such as:
A.dos attack (TCP or UDP);
B. Turn on or off the TCP proxy (1080port);
C. Run the free program.
D. Obtaining the names of other infected servers;
This variant is scanned for potentially vulnerable machines. An IP address that meets the following forms, for example, is checked:
A. B. 0-255.0-255
where B is a random number between 0 and 255;
A is a randomly selected number from the following list:
3 4 6 8 9 11 12 13 14
15 16 17 18 19 20 21 22 24
25 26 28 29 30 32 33 34 35
38 40 43 44 45 46 47 48 49
50 51 52 53 54 55 56 57 61
62 63 64 65 66 67 68 80 81
128 129 130 131 132 133 134 135 136
137 138 139 140 141 142 143 144 145
146 147 148 149 150 151 152 153 154
155 156 157 170 171 172 173 174 175
176 177 178 179 180 181 182 183 184
185 186 187 188 189 190 191 192 193
194 195 196 198 200 201 202 203 204
205 206 207 208 209 210 211 212 213
214 215 216 217 218 219 220 224 225
226 227 228 229 230 231 232 233 234
235 236 237) 238 239
12. Virus Name:
LINUX.SLAPPER.C Category: Unix/linux worm
Virus data: Technical features:
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features.
It searches the system that executes the apacheserver, once it finds the machine that can infect it. It uses the Opensslserver buffer overflow vulnerability to execute remote shell commands.
For specific information about this vulnerability, please browse: http://www.kb.cert.org/vuls/id/102795
When the variant spreads. will carry its own source code, and then compile two running programs on each victim machine. " Unlock.c "and" update.c ". They are all created under the "/tmp" folder. The first successful compiled run program is called "HTTPd" and is located under the same folder. The second executable file "update" listens for 1052port when the input is correct frethem/index.htm "target=" _blank "style= ' Text-decoration:underline;color: # 0000FF ' >password after. It will agree to a large number of interactive shell commands through. Other than that. The variant also sends the host name and IP address of the infected machine to the specified email address.
Like Slapper.a and Slapper.b, the SLAPPER.C infected system executes a backdoor server program in UDP 4156port, which responds to specific instructions sent by the remote unauthorized user to perform a variety of operations according to the instructions. For example, a common instruction is to search for an email address on an infected machine.
It scans all files under All folders (except for three special folders/proc,/dev and/bin) to find a valid email address. And that contains the string ". HLP "and" [email protected] "The same address is ignored, and all other e-mail addresses are sent as a list to the IP address that the remote user initially specified.
Other than that. Remote unauthorized users may also send other instructions. Such as:
A.dos attack (TCP or UDP);
B. Turn on or off the TCP proxy (1080port);
C. Run the free program.
D. Obtaining the names of other infected servers;
This variant is scanned for potentially vulnerable machines. An IP address that meets the following forms, for example, is checked:
A. B. 0-255.0-255
where B is a random number between 0 and 255;
A is a randomly selected number from the following list:
3 4 6 8 9 11 12 13 14
15 16 17 18 19 20 21 22 24
25 26 28 29 30 32 33 34 35
38 40 43 44 45 46 47 48 49
50 51 52 53 54 55 56 57 61
62 63 64 65 66 67 68 80 81
128 129 130 131 132 133 134 135 136
137 138 139 140 141 142 143 144 145
146 147 148 149 150 151 152 153 154
155 156 157 170 171 172 173 174 175
176 177 178 179 180 181 182 183 184
185 186 187 188 189 190 191 192 193
194 195 196 198 200 201 202 203 204
205 206 207 208 209 210 211 212 213
214 215 216 217 218 219 220 224 225
226 227 228 229 230 231 232 233 234
235 236 237) 238 239
Security threats pervasive: viruses based on Linux systems (RPM)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
