Skillfully Deflected Linux Emergency Stories
Foreword
It was a typical day for Liu, a seasoned office veteran with years of experience in emergency response and security management. As he was busy attending to various security incidents in his area, a customer suddenly reached out for help. Liu’s deeply ingrained perception of security issues kicked in, and he promptly opened the safety awareness platform to analyze the situation.
0x01 Liu Students
Liu students quickly located the corresponding host on the safety awareness platform and discovered a report indicating virtual currency mining. He smiled, knowing that the detection accuracy for this type of threat was almost 100%. However, his confidence was short-lived, as he soon found himself stumped.
0x02 Blind Eyes
Liu students’ eyes were almost blind to the situation, as he struggled to locate the file corresponding to the mining process. Despite using the ps command to easily identify the process, he was unable to find the file associated with it. Even after attempting various methods, including scanning for rootkit viruses, he was left baffled.
0x03 Way Out
The situation seemed impossible, with Liu students’ expertise and experience seemingly no match for the cunning hacker. However, he refused to give up, and his request for assistance from the headquarters was met with a team of security experts who joined forces to analyze the situation.
0x04 Sample Analysis
The team, led by Liu students, conducted a thorough analysis of the system, including a memory dump of the mining process. Upon closer inspection, they discovered a seemingly innocuous directory with a suspicious string. Further investigation revealed a malicious script and executable files hidden within the directory.
0x05 Traced
The team discovered that the root cause of the invasion was a hacker who had used a combination of tactics to deceive the system and evade detection. The hacker had created a visually imperceptible directory and used a tool called XHide to disguise the file location.
0x06 Summary
In the end, the team successfully identified the root cause of the invasion and the tactics used by the hacker. They also recommended reinforcing the security of Linux hosts, increasing password complexity, and implementing account lockout policies.
0x07 Relevant IOC
The team’s findings were summarized as follows:
- BBD807BCC2596FD7EEC38BFCBED9F5A5
- 60103B3D5FD524BBDA4682E5B0C6560E
Author: Clairvoyance Security Labs
Note: This article was originally published on FreeBuf.COM and is shared here with permission.