User Tools

Site Tools

Navigation Menu


Previous mounth
Next mounth

Hot Projects


SEEDStack - Open 3D printable seed/sprouting systemDIY Food Hacking


UCSSPM - Unified Clear-Sky Solar Prediction ModelOpen Solar Power


picoReflow - DIY PID Reflow Oven Controller based on RaspberryPiDIY Reflow Soldering


PiGI - DIY Geiger Counter based on RaspberryPiRasPi Geiger Counter

DIY ARA-2000

Active Wideband Receiver Antenna for SDR - ARA-2000Wideband Antenna


DSPace - Map everythingMap everything!


Personal Log: Digital Exorcism

When you leave the commercial/proprietary software ecosphere and jump into open-source operating systems, you will have to learn how to handle daemons. And once you've created a couple of those daemons yourself, taught them what to do and let them work in production, you gain a lot of experience and confidence in dealing with all kinds of daemons.

Yesterday, a couple of friends from the awesome project seemed to be in some sort of possible DDoS trouble and asked for my advice and experience to mitigate the issue. Now, to me, it is a very amazing experience to simply get root access to a lot of machines lately, operated by people which I have never physically met but in this case we are connected by elf-pavlik. And in today's world, voluntarily giving root access to someone else, is the ultimate token of trust or/and friendship. So I'd like to thank you guys for that vote of confidence.

Since it was supposed to be a DDoS, I've had my input filters clamped too early and saw that something was going on and a lot of traffic was moving but it somehow seemed wrong compared to other DDoS investigations I had to do in the past. After some failed attempts to block/null-route a couple of offensive networks, our analysis focus shifted to traffic distribution where we saw that one of the VMs seemed to be the top talker. And it also became clear that the traffic wasn't coming in, it was going out. I didn't take care to look at flow direction at all because I already assumed it was incoming traffic (DDoS).

Here's where Dashboards like this come in handy. You have all relevant metrics at a glance and can compare the current to some “normal” state in the past. Matching graphs and colors visually takes much less time than working on the console to aggregate everything manually for a quick situation overview.

It then quickly became apparent, that one of the VMs was the top talker so we moved onto that box and what started out as DDoS mitigation turned into digital exorcism. You know, when there are daemons that are possessed and controlled by some evil spirit to create some form havoc, mostly motivated purely by the ultimate overlord of all evil: Financial Profit. And what do you do when dealing with evil daemons? You go Exorcist on them.

After verifying that the traffic really was outgoing, it was time to find out what is causing this amount of traffic. In the old days, exorcism was a bit more of a good show I think, today, it's just a couple of people sharing the same tmux session, listening to their favorite kind of music and hacking away with a couple of tcpdumps, iftops, netstats and some other shell mumbo-jumbo. rkhunter didn't identify any rootkits. The daemon concealment seemed done like a crude quick-hack. If I'd have to hide something in a system, I'd definitely make it much harder for someone to track.

At the time two daemons of the kit were running: /.sshd and /http. sshd was located at /usr/sbin/.sshd and http at /etc/http. Both put some sort of pidfile into /tmp/$foo.lod, by which we were able to identify the running processes in the first place. It also seems to carry replacements for lsof,netstat,ps and ss, each one seems to be a unique binary. With the exception of bsd-port/jave, the rest of the identified files are basically just copies of the same with a different name and come with this file signature, which already stood out on a more or less up to date 64-bit machine.

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped. 

After collecting all files we considered compromised, Virustotal removed the last shreds of doubt.

The main binary seems to contain a big list of IP addresses (probably C&C) and some sort of amplification and packet generation scheme. The observed attack pattern seemed more like a targeted HTTP SYN attack against only a few targets but with maximized bandwidth, trying to utilize the 1 GBit uplink capacity and spreading over 4-6 target hosts, each up to 200 MBit. Further analysis is still ongoing but if someone else would like to take a look at this thing pulled out of the wild, go ahead:

Please, only continue when you feel confident, that you know what you are doing

For safety reasons and to prevent uncontrolled replication or scan-bot false-positive flags, the whole set is tarred, gzipped and then encrypted with aes-256-cbc (openssl).

The SHA256 checksum of the archive is also the key:


William, 2023/05/06 20:17

yeezy, 2023/08/29 04:01 Yeezy Yeezys Jordan 1 Air Jordan 1 Nike Jordan 1 Jordan 1S Jordan 1 Jordan Shoes Jordan Shoes Nike UK Yeezy 450 Jordan Retro 4 Nike Outlet Store Online Shopping YEEZY Adidas Yeezy Official Website Yeezy 350 Air Jordan 4 Yeezy Foam Runner Yeezy Slides Ray Ban Glasses Adidas UK NFL Shop Official Online Store Yeezy Slides Adidas Yeezy Yeezy 350 Yeezy Yeezy 350 Yeezy Shoes Yeezys Off White Ray Ban Adidas Yeezy Yeezy Shoes Yeezy Shoes Yeezy 700 Adidas Yeezy Yeezy Nike Jordan 1 Jordan 1 Jordan 1 Jordan 1 Jordan UK Jordans Shoes Jordan Nike Yeezy Jordan 4 Nike Outlet YEEZY UK Adidas Yeezy Yeezy uk Jordan 4 Yeezys Supply Yeezy YEEZY Ray Bans Sunglasses Adidas NFL Shop Yeezys Adidas Yeezys Yeezy 350 V2 Yeezys Yeezy Boost 350 Yeezys Shoes Yeezy Ray Bans Yeezy Supply Yeezy Yeezys Adidas Yeezy Slides Yeezy Yeezy Cheap Yeezys Yeezy Supply Yeezy Shoes Yeezy Supply Yeezys Yeezy Shoes Yeezy Yeezy Pandora Jewelry Tags:yeezy shoes, Yeezy, Adidas Yeezy

먹튀검증, 2023/09/08 03:35

I found this board and I find It truly helpful & it helped me out much. 먹튀검증

토토사이트, 2023/09/08 03:35

Studying this information So i am glad to exhibit that I have a very good uncanny feeling I found out exactly what I needed 토토사이트

메이저사이트, 2023/09/08 03:35

Wow, wonderful blog layout! How long have you been blogging for? you made blogging look easy. 메이저사이트

토토사이트 추천, 2023/09/08 03:36

My considerable internet investigation has now been paid with beneficial knowledge to share with my classmates and friends. 토토사이트 추천

OKBet, 2023/10/21 03:48

I finally found great post here.I will get back here. I just added your blog to my bookmark sites. OKBet casino

Your article is a perfect article without a hitch. Thank you. My site: Dapat mong Malaman About Christmas at Gambling Myths

color game, 2024/01/05 05:44

Astig ng blog mo! Interesante. Salamat sa pag-share ng kaalaman. Puntahan ang aking site:

christmas jewelry sales, 2024/01/05 05:57

Wonderful blog! It's truly fascinating. Thanks for the info. My page is:

We have a site for sports games. You must be interested. A Competitive Edge

안전놀이터, 2024/01/18 05:29

I have been studying this kind of article for our society for 5 years, and I just realized that there are so many people who are worried about this, and try to solve the problem together. I am so happy to find your study and, thank you so much.

25fox, 2024/02/12 23:14

Buy a driver's license Hello, welcome to the world's largest online driver's license organization. We sell authentic and registered driving licenses and we have several driving schools with which we collaborate.

What a nice post! I'm so happy to read this. What you wrote was very helpful to me. Thank you. Actually, I run a site similar to yours. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

It is incredibly average to see the best inconspicuous components presented in a basic and seeing way Thank you. Actually, I run a site similar to yours. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

Such an especially significant article. To a great degree charming to examine this article.I should need to thank you for the undertakings you had made for creating this astonishing article.

I am another client of this site so here I saw different articles and posts posted by this site,I inquisitive more enthusiasm for some of them trust you will give more data on this points in your next articles.

All things considered I read it yesterday yet I had a few musings about it and today I needed to peruse it again in light of the fact that it is extremely elegantly composed.

 Actually, I run a site similar to yours. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

Enter your comment. Wiki syntax is allowed: