Since I rarely come into contact with the linux virus site, I deliberately found a previously processed site to reproduce it, which can be regarded as a mastery of linux commands and an understanding of linux viruses
Execute mining virus
Use the top command, the station cpu occupancy rate
It can be seen that the process with PID 28842 has occupied 97.3%
Then use netstat -antp to watch the network to check the network connection
After searching, these two ips are mining pool ips, and it can be judged that this is a mining virus.
cd /proc/28842 to enter the process number directory
ls -al view the location of the file
Know the directory where the mining file is located, use kill -9 28842 to end the mining process
Open the tmp directory, extract the file, and analyze it with ida
Coincidentally, when I searched for ip, I saw such a piece of information
Suspected mining but no configuration file found
https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=2314
The person who sent the intelligence did not find the configuration file. In fact, the configuration file is the extracted file. Open it with ida and find the configuration file data.
This is a simple process, the specific files will not be analyzed in depth
IOCs:
SHA1:
f29e46fe42e74cbb1c13839e5462a4d6fe26b220
e4bf1914ce19aa21bc9af6d2966296b84185fd0c
Pool address:
xmr-eu1.nanopool.org
178.170.189.5
91.215.169.111
Wallet address:
46V5WXwS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb