LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page If you infected by any of these recent ELF malware cases please contact us?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
Page 2 of 2 1 2
  Search this Thread
Old 12-24-2017, 03:54 PM   #16
JAYCEE1
LQ Newbie
 
Registered: Jul 2007
Distribution: Mint 18.2
Posts: 15

Rep: Reputation: 2

How can we scan our system to see if we are infected?
 
2 members found this post helpful.
Old 12-25-2017, 02:55 AM   #17
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by mostafashaban View Post
thnkss
what a glorious first post. :sarcasm:
textspeak or typo, no punctuation, and necrobumping.
well, welcome to LQ anyhow. i appreciate the fact that you are actually saying thank you.

Quote:
Originally Posted by JAYCEE1 View Post
How can we scan our system to see if we are infected?
please start a dedicated thread with a detailed problem description.
 
Old 01-11-2018, 06:17 PM   #18
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 999

Rep: Reputation: 142Reputation: 142
Thumbs down
Quote:
Originally Posted by ondoho View Post
please start a dedicated thread with a detailed problem description.
In my opinion this is not useful, as this is a sticky thread (therefore attracting a lot of attention) => infos about when to ignore the issue or how to detect it if relevant in some context should be added.
Just leaving it like this generates only uncertainty.
 
3 members found this post helpful.
Old 02-14-2018, 06:00 AM   #19
ruhirai
LQ Newbie
 
Registered: Feb 2018
Posts: 1

Rep: Reputation: Disabled
very useful information shared!!
 
Old 04-21-2019, 04:18 AM   #20
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 12

Original Poster
Rep: Reputation: Disabled
A lot of incidents caused by ELF packed malware infection from actor: SystemTen (aka "rocke") for mining
The threat mentioned in the subject, is hitting a lot of VPS on intel x64 systems right now, I received many reports too, so it is necessary to write much details to help IR and Admins dealing with these incidents. I wrote report for incident handling purpose in bwlow Imgur, for they contain many artifacts that can be useful for your incident case, many pictures you can use as reference for handling this infection.

The report URL: https://imgur.com/a/H7YuWuj

Sample of incident: https://community.atlassian.com/t5/C.../qaq-p/1054605

The adversary is calling themselves as "SystemTen" (systemten[.]org) originated from China (PRC) mainland region. Previously they allegedly use name of "rocke" (I wasn't on that cases so you just have to rely on some internet reports about previous incidents).

"SystemTen" is using below infrastructure as their C2 and miner:

PHP Code:
systemten[.]org:8080
systemten[.]org:51640 
Their previous attack has been detected coming from below IP addresses:

PHP Code:
134.209.104.20  AS14061 134.209.96.0/20 DIGITALOCEAN-ASN US DigitalOceanLLCUS
185.193.125.146 AS37560 185.193.125.0/24 CYBERDYNE, | LR LR
104.31.92.233   AS13335 104.31.80.0/20 CLOUDFLARENET US CloudflareInc., US 
Their servers is registered in the below name servers:

PHP Code:
systemten.org.  NS  1-you.njalla.no.
systemten.org.  NS  2-can.njalla.in.
systemten.org.  NS  3-get.njalla.fo.

systemten.org.  NS  gail.ns.cloudflare.com.
systemten.org.  NS  karl.ns.cloudflare.com
Their downloader is served under these two domain name on also CloudFlare:

PHP Code:
ooxx.ooo 104.18.38.218 104.18.39.218 AS13335 104.18.32.0/20 CLOUDFLARENET US CloudflareInc., US
z9ls.com 104.31.81.164 104.31.80.164 |  AS13335 104.31.80.0/20 CLOUDFLARENET US CloudflareInc., US 

Above data is important for the mitigation of the threat. Thank you - malwaremustdie.org
Last edited by malwaremustdie; 04-21-2019 at 04:23 AM. Reason: adding info
 
Old 04-21-2019, 07:02 AM   #21
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 12

Original Poster
Rep: Reputation: Disabled
After the last posts I made in blog.malwaremustdie.org, and kernelmode.info, I started own moderated repository for the Linux malware specific research for helping infected people.

The new repository is in here. I made the youtube video for all people can choose ways you can view the repository, in here.

LinuxQuestions.org friends are welcome to view.
 
Old 04-22-2019, 10:06 PM   #22
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 12

Original Poster
Rep: Reputation: Disabled
About the SystemTen for org threat that infects Linux VPS, below is the latest infrastructure they use for you to block.
Please see the previous thread for the details:

Code:
i.ooxx.ooo.             300     IN      A       45.63.0.102
1.z9ls.com.             600     IN      CNAME   1.z9ls.com.cdn.dnsv1.com.
1.z9ls.com.cdn.dnsv1.com. 600   IN      CNAME   1824153.sp.tencdns.net.
1824153.sp.tencdns.net. 180     IN      A       211.91.160.238
systemten.org.          900     IN      A       104.248.53.213
z9ls.com.               600     IN      A       103.52.216.35 

i.ooxx.ooo   | 45.63.0.102    | AS20473 | 45.63.0.0/20 | vultr.com/Choopa, LLC, US
1.z9ls.com   | 211.91.160.238 | AS4837 | 211.91.160.0/20 | CHINA169 UNICOM China169 Backbone, CN
systemten.org| 104.248.53.213 | AS14061 | 104.248.48.0/20 | DigitalOcean,  LLC, US
z9ls.com     | 103.52.216.35  | AS132203,  CN Tencent Bldg, Kejizhongyi Av)
malwaremustdie.org ^ about us: https://en.wikipedia.org/wiki/MalwareMustDie
 
1 members found this post helpful.
  


Closed Thread
Page 2 of 2 1 2

Tags
linux +, malware



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Attack Infected 25,000 Linux/UNIX Servers touch21st Linux - Security 1 03-21-2014 01:13 AM
LXer: Nearly 33 million Android devices infected by malware in 2012 LXer Syndicated Linux News 0 04-16-2013 04:20 PM
LXer: BT Claims Almost Every Android Device Is Malware Infected LXer Syndicated Linux News 0 07-29-2012 04:41 PM
iframe worm or malware infected my php pages ddaas Linux - Security 4 05-22-2009 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:09 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration