Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to solve the Linux mining Trojan horse". In the operation of the actual case, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I. background of the event

Recently received customer feedback, found that the Linux machine stutter, CPU usage exceeds the standard of more than 90%, suspected to be mined, convinced that the EDR security team immediately carried out emergency treatment, and found that the mining Trojan horse is a new type of Linux mining Trojan horse, and conducted in-depth research and analysis of this sample.

2. Sample analysis

1. Make a DNS query request for a series of mine pool addresses, as follows:

The corresponding pool addresses are listed as follows:

Pool.minexmr.com,xmr-eu1.nanopool.org,xmr-eu2.nanopool.org

Xmr-us-east1.nanopool.org,xmr-us-west1.nanopool.org,xmr-asia1.nanopool.org

Xmr-jp1.nanopool.org,xmr-au1.nanopool.org,xmr.crypto-pool.fr

Fr.minexmr.com 、 de.minexmr.com 、 ca.minexmr.com 、 sg.minexmr.com

Pool.supportxmr.com 、 xmr-usa.dwarfpool.com 、 xmr-eu.dwarfpool.com

Xmr.prohash.net 、 xmrpool.eu 、 mine.ppxxmr.com 、 jw-js1.ppxxmr.com

Xmr.f2pool.com 、 xmr.pool.minergate.com 、 monerohash.com

Pool.monero.hashvault.pro 、 gulf.moneroocean.stream

Us-east.cryptonight-hub.miningpoolhub.com

Europe.cryptonight-hub.miningpoolhub.com

Asia.cryptonight-hub.miningpoolhub.com

two。 Delete the file protection attribute through chattr-I and re-infect the host system, as follows:

3. Obtain the path to the file through process / proc/ [process ID] / exe, as follows:

4. Concatenate strings in memory, as follows:

The corresponding command line is as follows:

5. Run / bin/sh to execute the previously spliced command, copy itself, add corresponding self-starting items, and persist, as shown below:

The corresponding disassembly code is as follows:

6. Self-delete via rm-f, as follows:

7. Modify the resolv.conf configuration file as follows:

The corresponding disassembly code is as follows:

The modified resolv.conf file is as follows:

8. Modify the crontab scheduled task file as follows:

The corresponding disassembly code is as follows:

9. The contents of the modified timing file are as follows:

10. Determine whether the following files can be read, as follows:

11. Modify the top program in the original system as follows:

Write the data in memory to the newly generated top program, as follows:

twelve。 Modify the copied file protection as follows:

13. Generate a temporary record file, mmlog, as follows:

14. Set system memory properties, etc., as follows:

15. Kill other network requesters, as follows:

16. Take out other mining processes as follows:

Execute the following command through / bin/sh:

17. Start a new mining process, then carry out the mining operation, and the name of the mining process is randomly selected from the list, as follows:

The random process list is as follows:

[aio] [async] [ata] [ata_aux] [bdi-default] [cpuset] [crypto] [ecryptfs-kthrea]

[events] [ext4-dio-unwrit] [flush-251:0] [flush-8:0] [jbd2] [kacpi_hotplug]

[kacpi_notify] [kacpid] [kblockd] [kconservative] [kdmflush] [khelper] [khubd]

[khungtaskd] [kintegrityd] [kmmcd] [kmpath_handlerd] [kmpathd] [kondemand]

[kpsmoused] [kseriod] [ksmd] [ksnapd] [ksoftirqd] [kstriped] [ksuspend_usbd]

[kswapd0] [kswapd1] [kthreadd] [migration] [netns] [pm] [scsi_eh_0] [sync_supers]

[usbhid_resumer] [watchdog] [xfs_mru_cache] [xfsaild] [xfsbufd] [xfsconvertd]

[xfsdatad] [xfslogd] [xfssyncd]

18. The built-in mining program starts the mining procedure through the configuration file to carry out mining, as follows:

19. At the same time, it is found that a py script is built in the program to execute the download execution program. Because the remote server address is invalid, the corresponding sample cannot be downloaded, so it cannot be analyzed. The corresponding py script extracted is as follows:

20. The corresponding data packets captured are as follows. The sample batch DNS requests the corresponding mine pool address, as follows:

The network packets for mining are as follows:

Tracking the TCP data flow is as follows:

Query the IP address of the mining pool on VT, as follows:

Wallet address:

462ESZn57F4fBneHKXhnEM4TmgCvgrsErGJBLY1T61fmKGymjFuEZup6pnqhT3iJtw4fgbsjdPLwUgsGnr1zzDKuFSkZaF1

Query by wallet address, as follows:

III. Solutions

The cleaning solution of the Linux mining Trojan horse is as follows:

1. End the related process, find the relevant process through ps, and the mining process name is in the random process list.

The process [xfslogd] occupies a high CPU. The process is terminated by kill-9 24984. At the same time, we can see that the process is created by the matrix we analyzed.

two。 Clean up scheduled tasks

Clear the last line and start libiacpkmn.so.3 at any time.

3. Clear the libiacpkmn.so.3 file in the / usr/lib/ directory, clear the file protection attribute and delete it

4. Clear the nfstruncate files in the / bin and / etc/init.d directories, clear the file protection attributes and delete them

5. Clear the file links under the rc*.d file, which are the S01nfstruncate files in the rc0.d-rc6.d file.

This is the end of the content of "how to solve the Linux mining Trojan horse". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.