May 4, 2020 09:37 · October 28, 2019 08:17 · December 11, 2018 20:51 · November 12, 2016 02:06 · June 21, 2016 21:13 · October 19, 2015 19:50
 ## Overview

 What we know so far:
 Source: https://github.com/saltstack/salt/issues/57057
 Payload distribution point: https://bitbucket.org/samk12dd/git/src/master/ --update: now defunct
 Updated payload distrib URL: http://413628.selcdn.ru/cdn/salt-storer
 Bootloader distribution link: http://89.223.121.139/sa.sh
 backup CNC command source: http://54.36.185.99/c.sh
 This is a crypto-mining operation. salt-minions is a compiled xmrig binary (https://github.com/xmrig/xmrig).
 salt-store contains a RAT, nspps (https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/).
 ### Keybase proof

 I hereby claim:

  * I am cachedout on github.
  * I am mike_place (https://keybase.io/mike_place) on keybase.
  * I have a public key ASBIPskwHSk1KxyzPm_y0EquFvnhsVh8DLulPip-UjMawQo

 To claim this, I am signing this object:
 PARSING DSN

 wrongparsing host: wrong:test@tcp(127.0.0.1:3306)/

 goroutine 1 [running]:

 runtime/debug.Stack(0x20, 0x0, 0xc00068eeb8)

 /usr/local/Cellar/go/1.11.2/libexec/src/runtime/debug/stack.go:24 +0xa7
 mp@silver ...devel/salt/salt % ping 198.60.22.4                                                                                                                  (git)-[cli_lite] 
 PING 198.60.22.4 (198.60.22.4) 56(84) bytes of data.
 64 bytes from 198.60.22.4: icmp_seq=1 ttl=61 time=1223 ms
 64 bytes from 198.60.22.4: icmp_seq=2 ttl=61 time=1493 ms
 64 bytes from 198.60.22.4: icmp_seq=3 ttl=61 time=1610 ms
 64 bytes from 198.60.22.4: icmp_seq=4 ttl=61 time=1950 ms
 64 bytes from 198.60.22.4: icmp_seq=5 ttl=61 time=1567 ms
 ^C
 --- 198.60.22.4 ping statistics ---
 6 packets transmitted, 5 received, 16% packet loss, time 5012ms
 diff --git a/salt/state.py b/salt/state.py
 index a6d1932..92fc142 100644
 --- a/salt/state.py
 +++ b/salt/state.py
 @@ -627,7 +627,8 @@ class State(object):
         Execute the aggregation systems to runtime modify the low chunk
         '''
         agg_opt = self.functions['config.option']('state_aggregate')
 -        if low.get('aggregate') is True:
 +#        if low.get('aggregate') is True:
 Downloading Packages:
 PyYAML-3.10-3.el6.x86_64.rpm                                           | 157 kB     00:00     
 Running rpm_check_debug
 Running Transaction Test
 Transaction Test Succeeded
 Running Transaction
  Installing : PyYAML-3.10-3.el6.x86_64                                                   1/1 
 Error unpacking rpm package PyYAML-3.10-3.el6.x86_64
 error: unpacking of archive failed on file /usr/lib64/python2.6/site-packages/PyYAML-3.10-py2.6.egg-info: cpio: rename
  Verifying  : PyYAML-3.10-3.el6.x86_64                                                   1/1 
 Index: salt/client/__init__.py
 IDEA additional info:
 Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
 --- salt/client/__init__.py	(date 1386195501000)
 +++ salt/client/__init__.py	(revision )
 @@ -1028,6 +1028,7 @@
             yield {}
         # Wait for the hosts to check in
 precise64:
 ----------
    State: - file
    Name:      /tmp/f/g/foo.txt
    Function:  managed
        Result:    False
        Comment:   An exception occurred in this state: Traceback (most recent call last):
  File "/salt_mount/salt/state.py", line 1265, in call
    # state call.
  File "/salt_mount/salt/states/file.py", line 1135, in managed
 Index: salt/states/user.py
 IDEA additional info:
 Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
 --- salt/states/user.py	(revision e013d26cac0e87bcbcb87c55a792a8480ae7045a)
 +++ salt/states/user.py	(revision )
 @@ -258,7 +258,7 @@
             log.warning('Group "{0}" specified in both groups and '
                         'optional_groups for user {1}'.format(isected, name))
	## Overview

	What we know so far:
	Source: https://github.com/saltstack/salt/issues/57057
	Payload distribution point: https://bitbucket.org/samk12dd/git/src/master/ --update: now defunct
	Updated payload distrib URL: http://413628.selcdn.ru/cdn/salt-storer
	Bootloader distribution link: http://89.223.121.139/sa.sh
	backup CNC command source: http://54.36.185.99/c.sh
	This is a crypto-mining operation. salt-minions is a compiled xmrig binary (https://github.com/xmrig/xmrig).
	salt-store contains a RAT, nspps (https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/).
	### Keybase proof

	I hereby claim:

	* I am cachedout on github.
	* I am mike_place (https://keybase.io/mike_place) on keybase.
	* I have a public key ASBIPskwHSk1KxyzPm_y0EquFvnhsVh8DLulPip-UjMawQo

	To claim this, I am signing this object:
	PARSING DSN

	wrongparsing host: wrong:test@tcp(127.0.0.1:3306)/

	goroutine 1 [running]:

	runtime/debug.Stack(0x20, 0x0, 0xc00068eeb8)

	/usr/local/Cellar/go/1.11.2/libexec/src/runtime/debug/stack.go:24 +0xa7
	mp@silver ...devel/salt/salt % ping 198.60.22.4 (git)-[cli_lite]
	PING 198.60.22.4 (198.60.22.4) 56(84) bytes of data.
	64 bytes from 198.60.22.4: icmp_seq=1 ttl=61 time=1223 ms
	64 bytes from 198.60.22.4: icmp_seq=2 ttl=61 time=1493 ms
	64 bytes from 198.60.22.4: icmp_seq=3 ttl=61 time=1610 ms
	64 bytes from 198.60.22.4: icmp_seq=4 ttl=61 time=1950 ms
	64 bytes from 198.60.22.4: icmp_seq=5 ttl=61 time=1567 ms
	^C
	--- 198.60.22.4 ping statistics ---
	6 packets transmitted, 5 received, 16% packet loss, time 5012ms
	diff --git a/salt/state.py b/salt/state.py
	index a6d1932..92fc142 100644
	--- a/salt/state.py
	+++ b/salt/state.py
	@@ -627,7 +627,8 @@ class State(object):
	Execute the aggregation systems to runtime modify the low chunk
	'''
	agg_opt = self.functions['config.option']('state_aggregate')
	- if low.get('aggregate') is True:
	+# if low.get('aggregate') is True:
	Downloading Packages:
	PyYAML-3.10-3.el6.x86_64.rpm \| 157 kB 00:00
	Running rpm_check_debug
	Running Transaction Test
	Transaction Test Succeeded
	Running Transaction
	Installing : PyYAML-3.10-3.el6.x86_64 1/1
	Error unpacking rpm package PyYAML-3.10-3.el6.x86_64
	error: unpacking of archive failed on file /usr/lib64/python2.6/site-packages/PyYAML-3.10-py2.6.egg-info: cpio: rename
	Verifying : PyYAML-3.10-3.el6.x86_64 1/1
	Index: salt/client/__init__.py
	IDEA additional info:
	Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
	<+>UTF-8
	===================================================================
	--- salt/client/__init__.py (date 1386195501000)
	+++ salt/client/__init__.py (revision )
	@@ -1028,6 +1028,7 @@
	yield {}
	# Wait for the hosts to check in
	precise64:
	----------
	State: - file
	Name: /tmp/f/g/foo.txt
	Function: managed
	Result: False
	Comment: An exception occurred in this state: Traceback (most recent call last):
	File "/salt_mount/salt/state.py", line 1265, in call
	# state call.
	File "/salt_mount/salt/states/file.py", line 1135, in managed
	Index: salt/states/user.py
	IDEA additional info:
	Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
	<+>UTF-8
	===================================================================
	--- salt/states/user.py (revision e013d26cac0e87bcbcb87c55a792a8480ae7045a)
	+++ salt/states/user.py (revision )
	@@ -258,7 +258,7 @@
	log.warning('Group "{0}" specified in both groups and '
	'optional_groups for user {1}'.format(isected, name))