Only one of the binaries is for arm (tfti). Others are for x86 and mips.
All symbols are stripped off the binaries. I only see two quick clues : an irc server url, and two japanese strings that also appear in this article :
http://www.edison-newworld.com/2017/09/linuxtsunami-malware-...
Perl scripts join an IRC chan, wait for commands and google for vulnerable sites to exploit and/or exploit them. They also contain a nice list of proxies.
Thanks for looking into this! Yes I had open the port 22 and my password was not safe enough I guess. Or alternatively this hack was due a web app I was running in Flask with some vulnerabilities. Stranger thing: the hack happened back in March 2017 but got activated exactly on Jan 1 2018.
3 comments
[ 4.4 ms ] story [ 14.0 ms ] threadThe images .gif are in reality php scripts (food.gif and food2.gif)
The scripts modify also the crontab and add:
#* * * * * /home/pi/udevd > /dev/null 2>&1 & #* * * * * /tmp/romerito > /dev/null 2>&1 & #* * * * * /home/pi/kblockd > /dev/null 2>&1 & #* * * * * /var/tmp/tfti > /dev/null 2>&1 &
I was running raspbmc on the raspberry pi.
It seems the scripts were there before and got activated just today.
Perl scripts join an IRC chan, wait for commands and google for vulnerable sites to exploit and/or exploit them. They also contain a nice list of proxies.
Do you know how you got hacked ?