cPanelPeter
commented
1 year ago Thank you. I have updated the detections accordingly.
Closed JQuags closed 1 year ago
cPanelPeter
commented
1 year ago Thank you. I have updated the detections accordingly.
This system had the following:
Root compromise had the following running a69b46510ecde2d9cc54b70ba775b9b53adb6bea5bf8a43e125283547b277b36 /usr/sbin/events
Hides cmdline as [pdflush-0]
/usr/sbin/events binary calls with in it two files:
273610a0d582ecea2a816b0994093d198fd1f67ff42d1692241d1f7adde7b3ed /usr/lib/libu.a/safe_scr and bb3e3ed44ebc74e6e2d6c530d85759f98dd74e84b621218e7d6fee76bb5586e2 /usr/sbin/ptty
Uses /usr/lib/libu.a as a storage folder to place temp files
Other malware: cron stings /6 /var/tmp/init10 > /dev/null 2>&1 & /1 /var/lock/bash10 > /dev/null 2>&1 & /3 /dev/shm/sh10 > /dev/null 2>&1 & /9 /tmp/init10 > /dev/null 2>&1 &
All these were the same check sums 426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 /var/tmp/init10 426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 /var/lock/bash10 426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 /dev/shm/sh10 426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 /tmp/init10
Last one:
48a9258c709e08cde0290b92107e247b8493274cc290735d0632c5fc0ba5d16d /tmp/cache_init this runs as sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/cache_init -h random -p -f -bin 3.86.38.166