How can we scan our system to see if we are infected?
|
Quote:
textspeak or typo, no punctuation, and necrobumping. well, welcome to LQ anyhow. i appreciate the fact that you are actually saying thank you. Quote:
|
Quote:
Just leaving it like this generates only uncertainty. |
very useful information shared!!
|
A lot of incidents caused by ELF packed malware infection from actor: SystemTen (aka "rocke") for mining
The threat mentioned in the subject, is hitting a lot of VPS on intel x64 systems right now, I received many reports too, so it is necessary to write much details to help IR and Admins dealing with these incidents. I wrote report for incident handling purpose in bwlow Imgur, for they contain many artifacts that can be useful for your incident case, many pictures you can use as reference for handling this infection.
The report URL: https://imgur.com/a/H7YuWuj Sample of incident: https://community.atlassian.com/t5/C.../qaq-p/1054605 The adversary is calling themselves as "SystemTen" (systemten[.]org) originated from China (PRC) mainland region. Previously they allegedly use name of "rocke" (I wasn't on that cases so you just have to rely on some internet reports about previous incidents). "SystemTen" is using below infrastructure as their C2 and miner: PHP Code:
PHP Code:
PHP Code:
PHP Code:
Above data is important for the mitigation of the threat. Thank you - malwaremustdie.org |
After the last posts I made in blog.malwaremustdie.org, and kernelmode.info, I started own moderated repository for the Linux malware specific research for helping infected people.
The new repository is in here. I made the youtube video for all people can choose ways you can view the repository, in here. LinuxQuestions.org friends are welcome to view. |
About the SystemTen for org threat that infects Linux VPS, below is the latest infrastructure they use for you to block.
Please see the previous thread for the details: Code:
i.ooxx.ooo. 300 IN A 45.63.0.102 |
All times are GMT -5. The time now is 05:54 PM. |