The cause is that as soon as a client starts the server, it is killed in a few seconds, and then the error log does not show anything. Server is jVM-based, so there could be an article on how to tell which process is killing a process.
Be confident that it was not our code that caused the JVM crash, no doubt it was one of the security script boys.
Search, search, search, crontab, mount, camouflage these things. As for tampering with PS,top hidden process, I believe that most script boy also do not have this ability, of course, stem this line is a lot of inheritance, can not carry its strong family, it is difficult to say that there are ancestral artifacts. Well, it turned out to be an executable named x86-64 in the.log directory. Is I to the heart of the villain degree gentleman’s stomach, the somebody else did not hide the PS operation, is every second up to kill a CPU occupy the most procedures so as not to affect it work. This scheming bitch, but also a name so confusing, I believe you are the system file not to touch?
Cp a copy, save the backup, killall, and analyze it. Vim sees that if it’s not a script, it’s elf.
There are several tools available for quick analysis of ELF files in Linux, one is readelf, one is objdump, and the other is LDD. LDD is commonly used to analyze dynamically loaded libraries, and objdump is used for decompiling. However, these tools are not always effective against malicious files. For statically compiled programs, for example, or mutated scripts, LDD does not work. For programs without section tables, objdump may not be able to produce results.
#objdump -d ./wi
./wi: file format elf64-x86-64
Copy the code
Since objdump relies on code sections or section tables, you can use Readelf to check this out
[root@localhost ~]# readelf -a ./wi
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x5c9e70 Start of program headers: 64 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 3 Size of section headers: 64 (bytes) Number of section headers: 0 Section header string table index: 0 There are no sections in this file. There are no sections to group in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000 0x00000000001ca78b 0x00000000001ca78b R E 200000 LOAD 0x0000000000000000 0x00000000005cb000 0x00000000005cb000 0x0000000000000000 0x0000000000597d58 RW 1000 GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 10 There is no dynamic section in this file. There are no relocations in this file. The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported. Dynamic symbol information is not available for displaying symbols. No version information found in this file.Copy the code
So in this case, -d means disassemble the entire file, -b means binary, and -m means instruction set schema
[root@localhost ~]# objdump -b binary -D -m i386 ./wi
./wi: file format binary
Disassembly of section .data:
00000000 <.data>:
0: 7f 45 jg 0x47
2: 4c dec %esp
3: 46 inc %esi
4: 02 01 add (%ecx),%al
6: 01 00 add %eax,(%eax)
...
10: 02 00 add (%eax),%al
12: 3e 00 01 add %al,%ds:(%ecx)
15: 00 00 add %al,(%eax)
Copy the code
In addition, tools such as Strace and GDB can also help. Of course, big weapons like IDA are more effective. This is just a superficial, even if dump such a pile of assembly code, what is the use of, not so easy to understand.
How am I supposed to convince anyone that this isn’t a normal binary? Its sordid concealment is not enough.
So how can a perfectly good ELF executable have no section table? Simple, script boys like to play tricks, and it’s easy to think of shells, and the most obvious shell to think of on Linux is UPX.
[root@localhost ~]# strings ./wi |grep UPXnUPX! ($Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
UPX!u
UPX!
UPX!
Copy the code
Script boy work or rough, also do not know to hide the shell. Get that fucking shell off of him
[root@localhost ~]# ./upx -d wi
Ultimate Packer forUPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- 5011080 < -1878380 37.48% Linux/AMD64 WI Unpacked 1 file.Copy the code
If the script boy hides the UPX shell, then the UPX -d command cannot be unmasked, and IDA is used instead. The essence of the shell is to compress and encrypt all the data of the original program, which cannot be analyzed in static files. With the execution of the program, the code will be released into memory at runtime. We can use IDA remote debugging test program, find upX self-unhulled OEP, and then dump the memory, can implement manual unhulled. How to find OEP, this is a matter of experience.
After the unshell, continue to use strings, strace, netstat and other commands for qualitative analysis.
At this point, the strings command is enough to figure out what it’s doing.
[1;37monnection
* COMMANDS 'h' hashrate, 'p' pause, 'r' resume, 's' results, 'c' connection
>wz
*ctz>3>c)
:w 3
[32m||
[31m ERROR
[32m||
[37m Invalid Port Use In This Range
[36m'1-65535'
[37me.g
[31m ( ./xmrig -p 3333 )
[32m||
[31m ERROR
[32m||
[37m Invalid Class You Can Use Only These Classes
[36m'192.168'
[32m,
[36m'172'
[32m,
[36m'100'
[32m,
[36m'10'[37 m um participant [31 m (. / xmrig - LAN 192.168.0.1) [32 m | | [31 m ERROR [32 m | | [37 m Empty Or Invalid Pool AddressCopy the code
Can also analyze is C++ written Trojan. Want to disassemble C++ source files, you suck. Objdump has to rely on debug messages, and script boys don’t do that. For C++ source files, you can only use IDA dump, which also produces an approximate source file.
Of course, the most simple is directly uploaded to virustotal, finally the results proved to be a Linux. Risk. Bitcoinminer. Tbix.
Oh, script boy.