The CPU off

Recently, some friends in the group feedback, their server CPU has been in a high occupancy state, but with top, ps and other commands have been unable to find which process is occupying, suspected in the mining virus, anxious round and round.



As a rule of thumb, I quickly asked him to take a look at the current server’s network connection to see if there were any suspicious connections, and sure enough, I found something:

Check the IP address on Shodan:

There are a number of domain names resolved to this IP address:

This is an IP address located in Germany, open several special service ports 4444,5555,7777 and so on:

The server is connected to port 7777, zhong Kui’s eye shows, which is an HTTP service port, direct access to the message returned as follows:

mining pool! , the server is mining solid hammer!



But amazingly, the process seems to be invisible, with no trace of its existence.

How processes are hidden

Now back to the main topic of this article:What can be done to hide processes on Linux?

To answer this question, first to know ps, top command enumeration system process list principle.

The design philosophy of Linux is:Everything is a file!

Processes are no exception. Linux has a special directory:/proc/The contents of this directory are not file systems on the hard disk, but processes and thread-related data interfaces in the kernel exposed by the operating system kernel, i.eprocfs, which records the running process and thread information on the system, to check:



These numerically named directories are the Pids of a process, which record detailed information about the process.

Commands like ps and top essentially iterate through the directory.

Know the principle, want to achieve hiding have the following ideas:

Command substitution

Directly replace ps and top command tools in the system. You can download their source code from GitHub, add the corresponding filtering logic, while traversing the process, remove the mining process, achieve hidden purposes. Module injection write a dynamic link library so file, so, HOOK traversal related functions (readdir/readdir64), traversal, filter mining process. You can modify the LD_PRELOAD environment variable or the /etc/ld.so.preload file to configure the dynamic link library and inject it into the target process.

Kernel level hiding

The method of module injection is to execute the function HOOK in the application layer to hide the mining process. Further, it can realize the hiding by loading the driver and HOOK the corresponding system call in the kernel space. However, the technical requirements of the attacker are also higher, and the challenge of cleaning up such a virus is also greater.

Find out about the mining process

/proc: /proc: /proc: /proc: /proc: /proc: /proc: /proc: /proc: /proc But being blindfolded doesn’t mean it doesn’t exist. There’s a tool called Unhide that you can use to see hidden processes. I asked my friend to install the tool to find hidden processes, but strangely, the SSH session for the remote connection was immediately disconnected as soon as the yum Install installation was executed. Therefore, I chose to install the unhide tool through source code, but there were various errors all the time. Since I could not operate the server myself, it was difficult to communicate with it, so I decided to study the source code of the unhide tool, and then write a Python script and send it to him for execution. Source code address: github.com/YJesus/Unhi… To find the hidden process module, it roughly uses the following method: /proc/pid/ (max_pid = 1, max_pid = 1, max_pid = 1, max_pid = 1, max_pid = 1, max_pid = 1, max_pid = 1) In this vein, I wrote a Python script and sent it to my friend. After executing it, I found the hidden process:

Don’t worry, there are not really so many processes, here are all the thread ids listed. Pick a random one and have a look:

Remember using the netstat command earlier to see that the mining process established a network connection? /proc/pid/fd: /proc/pid/fd:

Here found this process opens a socket, the 10212 is behind the inode id, again through the following command to look at the socket exactly what it is: the cat/proc/net/TCP | grep output 10212 quad information:

On the left is the source IP address (source port) and on the right is the destination IP address (destination port). Destination port 1E61 is 7777.

Got it! That’s the guy! Check cat /proc/pid/environ again to locate the executable file for the process:

Finally found this fellow:

The guy looks like a repeat offender on the Internet:

Mining virus analysis

Download the mining Trojan and check it in the disassembly engine. /root/.ssh/authorized_keys/RSA key /authorized_keys/RSA key /authorized_keys /root/.ssh/authorized_keys/RSA key /authorized_keys /root/.ssh/authorized_keys /root/.ssh/authorized_keys /root/.ssh/authorized_keys



In addition, a number of domain names were found to which the virus was trying to connect:

It’s horrible to see here! Oneself server is pressed by virus rub on the ground!

Clear recommendations

Start SELinux Kill mining process delete virus program delete virus driver delete virus add login credentials firewall block IP, port How is this virus implanted??