I’ve found one of my installations infected with this too.
Can we try and narrow down what we have in common to work out the infection method.
I am running Release 2.0.RC2 setup and running since circa. 17/02/2013
I have (open to the world):
-Port 80 (the web interface)
-Port 443 (the web interface)
-Some LAN-to-LAN (OpenVPN) connections.
-rwxr-xr-x 1 root root 23289 Nov 21 2012 .DB.001
Yet other installations have not been infected.
OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.
OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months
OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year
Both the hosts referenced in the copy I have are the same as the OP.
Luckily both of these don’t resolve and given the date on the infection I presume this must be a very, very old infection that we’ve only just discovered.
root@zeroshell DB> pstree -Gp
root@zeroshell DB> ps aux | grep 14049
root 7832 0.0 0.0 1944 244 pts/0 S 03:33 0:00 grep 14049
root 14049 0.0 0.2 2036 640 ? S 2013 64:09 sleep 1800
I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:
USER DCRK localhost localhost :VQYJWO
Tom – http://www.mouselike.org