SANS ISC

[SANS ISC] Malicious Network Traffic From /bin/bash

I published the following diary on isc.sans.org: “Malicious Network Traffic From /bin/bash“:

One of our readers from Germany sent me a malicious shell script captured by our honeypot running on his Raspberry.  It’s a simple UNIX Bash script that performs a bunch of malicious tasks:

  • Kills existing crypto miner processes (classic action these days)
  • Changes the password of the user ‘pi’ and adds an SSH key
  • Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
  • Creates an IRC bot
  • Installs extra tools like zmap and sshpass
  • Installs itself in /etc/rc.local for persistence

[Read more]

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.