Shulou(Shulou.com)06/01 Report--

This article is reproduced from "FreeBuf.COM". The original authors: Fooying, zhenyiguo, murphyzhang

I. background

Yunding lab has analyzed many cases of intrusion and mining, and found that the behaviors of intrusion and mining are relatively rough and simple, and the malicious process can be seen directly through commands such as top, and the mining process will not be deliberately hidden. Now, we find that hackers are constantly using some hidden means to hide the mining process to make it survive longer. Today's analysis is about an intrusive mining incident that we captured in the past month.

2. Intrusion analysis

Compared with the past, the intrusion process of this capture case has no special place, and it also makes use of general vulnerabilities to invade the server and obtain relevant permissions, so as to implant the mining program to hide.

Through the analysis of several cases, we find that hackers mainly make use of the unauthorized access problem of Redis to invade. The explanation of this problem can refer to some analysis we have done in the past:

Https://mp.weixin.qq.com/s/inazTPN5mHJYnt2QDliv8w

After the server is invaded, you can obviously feel the slow operation caused by the occupation of server resources. Some abnormal information can be found through some conventional means, but no process information can be seen:

Through the top command, you can see that the displayed CPU usage is low, but the ni value is 100. at the same time, the CPU usage calculated by / proc/stat is basically 100%.

Check the port snooping through netstat, and you can also see abnormal connections.

By querying IP in Virustotal, you can see that DNS points to the domain name of the mining pool.

Through the find command to find the changed files within the time range of the invasion, the troubleshooting of the changed files, and the analysis of the relevant files, we can basically confirm the process hiding techniques used by the hackers.

Some mining programs can be seen in the change file, and the changes to the / etc/ld.so.preload file need to be noticed. Here it involves the Linux dynamic link library preloading mechanism, which is a commonly used process hiding method, and commands such as top are affected by this mechanism.

During the dynamic link library loading process of the Linux operating system, the dynamic linker reads the value of the LD_PRELOAD environment variable and the file contents of the default configuration file / etc/ld.so.preload, and preloads the read dynamic link library. Even if the program does not rely on these dynamic link libraries, the LD_PRELOAD environment variables and the dynamic link libraries specified in the / etc/ld.so.preload configuration file will still be loaded. They have higher priority than the file priority of the link library lookup path defined by the LD_LIBRARY_PATH environment variable, so they can be loaded ahead of the dynamic library called by the user.

-- the paragraph is quoted from "be on guard against the back door of using Linux preloaded malicious dynamic link libraries"

By looking at the contents of the file, you can see that a .so file is loaded: / usr/local/lib/libjdk.so

And this file is also on the file change list.

We can also see the relevant preloaded content by looking at the maps information of the relevant processes started:

Through the reverse analysis of libjdk.so, we can confirm that its main function is to filter the mining process, as shown in the following analysis.

After knowing the hidden techniques used by the hackers, directly edit the / etc/ld.so.preload file to remove the relevant contents, and then use the top command to see the mining process:

By viewing the process information under / proc/, you can find the location, see the relevant files, and clean up directly:

Continue to analyze the changed files, and you can also see that the relevant files have also been changed, for example, the hacker starts by modifying the / etc/rc.d/init.d/network file:

Modify / etc/resolv.conf at the same time:

The HOSTS file has also been modified to presumably block other mining programs and hackers:

At the same time, firewall rules are added:

Query IP and you can see that it is a foreign IP:

III. Sample analysis

Through the reverse analysis of the sample, it is found that the sample libjdk.so mainly Hook the two functions of readdir and readdir64.

The structure of the modified readdir function is as follows (the readdir64 function is also similar):

Get_dir_name function structure:

Get_proces_name function structure:

The process_to_filter constant is defined as follows:

The combination of the whole function is to determine that if the read directory is / proc, then if the process name is x7 during traversal, it will be filtered, and x7 is the mining process name.

Commands such as top and ps call the readdir method to traverse the / proc directory when displaying the process list, so the mining process x7 is filtered and does not appear in the process list.

IV. Appendix

IOCs:

Sample

1. 4000dc2d00cb1d74a1666a2add2d9502

2. 8bd15b2d48a051d6b39d4c1ffaa25026

3. E2a72c601ad1df9475e75720ed1cf6bf

4. D6cee2c684ff49f7cc9d0a0162b67a8d

Mine pool address

1. Xmr-asia1.nanopool.org:14433

2. 123.56.154.87:14444

Wallet address

42im1KxfTw2Sxa716eKkQAcJpS6cwqkGaHHGnnUAcdDhG2NJhqEF1nNRwjkBsYDJQtDkLCTPehfDC4zjMy5hefT81Xk2h7V.v7

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.