SliTaz Forum

/bin/get.sh, /boot/pro and family

(8 posts) (3 voices)

• Started 10 years ago by necrophcodr
• Latest reply from Aleksej
• This topic is not a support question

Tags:

No tags yet.

1. 

   necrophcodr
   

   offline

   Member

   I've been wondering about these scripts that seem randomly placed in the SliTaz distribution, and are appearantly being run through the /etc/crontab script somehow.
   It seems that a collection of scripts residing in /bin perform the execution of downloading some binary executable to /boot, executing it, and then killing a long list of application with strange names. What is going on?

   Posted 10 years ago #
2. 

   mojo
   

   offline

   Key Master

   Need more information please.
   What tazpkg has these scripts?
   What iso has these scripts?
   What are the script names?
   Paste the scripts at paste.slitaz.org and post the link to them in your reply.

   Posted 10 years ago #
3. 

   Aleksej
   

   offline

   Coder-hobbyist

   necrophcodr,

   Wow, it's a real virus for Linux! :-D
   It's so rare event to meet some malware here, so very interesting. Please, share it with us.
   And its interesting too, if you can find the “dropper” that put this “company” to your filesystem.

   P.S.
   Searching for “get.sh” among the all files installed with all SliTaz packages:
   

   tux@slitaz:~$ lzcat /var/lib/tazpkg/files.list.lzma | grep -F 'get.sh'
   ptxdist: /usr/lib/buildroot/scripts/lib/ptxd_make_world_get.sh
   ptxdist: /usr/lib/buildroot/scripts/lib/ptxd_make_get.sh

   Searching for “get.sh” among the all Rolling “kitchen” files. All of them are accessible via ftp://cook.slitaz.org/ and its thousands or millions of them. Scanning lasts about a hour and finished (really breaks) with only this result:
   

   lexeii@tank:~$ su -c "find /home/slitaz/cooking/chroot/home/slitaz/wok -type f -name 'get.sh'"
   Password:
   /home/slitaz/cooking/chroot/home/slitaz/wok/stellarium/source/stellarium-0.11.0/plugins/Satellites/util/get.sh

   So ftp://cook.slitaz.org/stellarium/source/stellarium-0.11.0/plugins/Satellites/util/get.sh is not a virus.

   I think this output (report.txt) can be useful (run as root):
   

   tazpkg check --full > report.txt

   P.P.S.
   I searching internet and found this text and this discussion. Is it looks similar?

   Posted 10 years ago #
4. 

   necrophcodr
   

   offline

   Member

   I'm very intrigued by how it could've gotten into my system, which I've spent so long securing. I guess it is never secure against the user. Anyway, I've confirmed that it is indeed the files you've posted. Of anyone wants to take a look at the binaries downloaded, I packed them all up in a tarball. I've just finished running the tazpkg check command, and I'll post the result in just a minute.

   Here they are:
   https://dl.dropboxusercontent.com/u/5579836/rootkit.tar
   https://dl.dropboxusercontent.com/u/5579836/report.txt

   I intend on whiping the drive on which the malware had been placed. Fortunately it was only able to download itself to an SD card with no important data on it, and although sensetive data may have been transfered, no data has been lost so far :)

   Posted 10 years ago #
5. 

   necrophcodr
   

   offline

   Member

   It also appears to be a known malware: https://www.virustotal.com/en/file/4cc3bb9717b5d2273c4811187b2285c24a81d608338b78eaf88b7ba67abff4ef/analysis/

   Posted 10 years ago #
6. 

   Aleksej
   

   offline

   Coder-hobbyist

   Hi necrophcodr,

   You made the right decision to wipe the compromised system.
   Files from tarball looks similar. But I'm not so dare to run them on my box :-D
   Sad but that Chinese web server (botnet command center, heh?) not responds anymore.
   Your report.txt contains no interesting info inside, looks like you missed "--full" option. Anyway, "tazpkg check" is kind of little buggy.

   Posted 10 years ago #
7. 

   necrophcodr
   

   offline

   Member

   Alright Aleksej, I realised that my data may be useful for you later on after the whipe, which led me to (on a seperate system, good thing I installed on an SD card) dd the entire raw data of the sd card to a file, which can then later on be mounted or ran inside a virtual non-networked environment if need be.
   I will sort out whatever data may remain on there from personal projects and systems, then release it somewhere for whoever would like to take a deeper look. Beware though, the sd card is 16GB and as such so is the image (barely).

   Posted 10 years ago #
8. 

   Aleksej
   

   offline

   Coder-hobbyist

   Hi necrophcodr,

   Sorry, really I not interested in your data. Because I'm not a virus hunter. Just a coder-hobbyist ;)

   Posted 10 years ago #

RSS feed for this topic

Reply

You must log in to post.