-
Notifications
You must be signed in to change notification settings - Fork 25
Исследование named bitcoin miner
pavel-odintsov edited this page May 8, 2014
·
2 revisions
Обнаружение в системе:
admin 26175 47.4 0.2 675148 20824 ? Ssl Apr25 2391:21 ./named -c named.conf
admin 26241 47.4 0.0 539288 7768 ? Ssl Apr25 2390:35 ./named -c named.confСетевые соединения:
netstat -apnt|grep named
tcp 0 0 xx:36140 37.221.163.19:3333 ESTABLISHED 26175/named
tcp 0 0 xx:36145 37.221.163.19:3333 ESTABLISHED 26241/named Попался на майнгинге:
tcpdump -A 'port 3333'
...#.a.2{"params": ["a3b9", "b60c186f689667173e067f9469672353a34821976ecacc3172ec4ee544289252", "01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff27038e8108062f503253482f041d525e5308", "0d2f7374726174756d506f6f6c2f0000000001d0f9052a010000001976a9145b771921a9b47ee8104da7e4710b5f633d95fa7388ac00000000", ["3529375a672cf8f5910a5dbbcc435b5bf13b2d0d01b5c327abedfe07a9241a7c", "bf4755bc3c24c9e5201b973c7ed5ba25b5cbe8ec227d24fb2a8c8cdb69df2a14", "9b74005431796d1c49e74bb4d8c40d5df0966312044d18680b8c2e1b3811541f"], "00000002", "1b0ad51e", "535e521c", true], "id": null, "method": "mining.notify"}
...'.a.h{"params": ["a3b9", "b60c186f689667173e067f9469672353a34821976ecacc3172ec4ee544289252", "01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff27038e8108062f503253482f041d525e5308", "0d2f7374726174756d506f6f6c2f0000000001d0f9052a010000001976a9145b771921a9b47ee8104da7e4710b5f633d95fa7388ac00000000", ["3529375a672cf8f5910a5dbbcc435b5bf13b2d0d01b5c327abedfe07a9241a7c", "bf4755bc3c24c9e5201b973c7ed5ba25b5cbe8ec227d24fb2a8c8cdb69df2a14", "9b74005431796d1c49e74bb4d8c40d5df0966312044d18680b8c2e1b3811541f"], "00000002", "1b0ad51e", "535e521c", true], "id": null, "method": "mining.notify"}Бинарный файл:
file /root/named_bitcoin_virus
/root/named_bitcoin_virus: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, strippedldd:
ldd /root/named_bitcoin_virus
linux-vdso.so.1 => (0x00007fff94dc6000)
librt.so.1 => /lib64/librt.so.1 (0x00007fb56d818000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb56d5fb000)
libc.so.6 => /lib64/libc.so.6 (0x00007fb56d266000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb56da26000)Тушка аж в полтора мегабайта:
-rwxr-xr-x 1 pavel_odintsov staff 592464 28 апр 17:14 named_bitcoin_virusОпределяемость на 8 мая 2014 - 9 из 52