Saturday, 1 June 2019

Blocking r1x Malware/Ransomware with IPTables on Linux

Block the IP by the following commands.


For yxarsh.shop/r1x
====================

iptables -A OUTPUT -j DROP -d 104.27.166.54

iptables -A INPUT -s 104.27.166.54 -j DROP

iptables -A OUTPUT -s 104.27.166.54 -j DROP



iptables -A OUTPUT -j DROP -d 104.27.167.54

iptables -A INPUT -s 104.27.167.54 -j DROP

iptables -A OUTPUT -s 104.27.167.54 -j DROP


iptables -A OUTPUT -j DROP -d 69.28.55.86
iptables -A OUTPUT -j DROP -d 185.71.65.238
iptables -A OUTPUT -j DROP -d 140.82.52.87


For 2.jpeg
===========
166.78.155.151

iptables -A OUTPUT -j DROP -d 166.78.155.151


/sbin/service iptables save

or

iptables-save > /etc/sysconfig/iptables

Now save the newly added IPtables configuration with below command.

/sbin/service iptables save

Additionally If you don't have any Application dependencies you can uninstall the below packages.

wget
curl
python

If you have dependences then, rename the binaries.
e.g.

#mv /usr/bin/curl /usr/bin/lruc

same for 'wget' and 'python'. 

Yum will not work as python is renamed or removed

This is a malware/ramsonware. You must delete it from your system, Process and files.


It runs under any user or root user, find the process called "r1x".

You can find this username with "top" or in output of this comand:

ps aux | grep r1x

Then kill with -9 the process sustes, use the below command

ps -ef | grep r1x

kill -9 <PID>


Then look at cron job of this user:

crontab -u username -l

If it has this string

* * * * https://yxarsh.shop/...

delete all by

crontab -r -u username


Another trick is to create a folder called r1x from where you deleted it.

No comments:

Post a Comment