Gentoo Archives: gentoo-security

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Date: Thu, 17 Dec 2009 06:11:15
Message-Id: robbat2-20091217T050303-895383311Z@orbis-terrarum.net
In Reply to: [gentoo-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware? by whereislibertyandjustice@Safe-mail.net
On Wed, Dec 16, 2009 at 09:06:04PM -0500, whereislibertyandjustice@×××××××××.net wrote:
> Google results are vague, some suggest shell backdoors, every Linux user > I've asked to date calls me paranoid while at the same time this knowledge > comes as a surprise to them, too, when they search their binaries and find > the same strings. I'm amazed by how quickly some rush to judgement and call > you a paranoid for being curious about the files on your system. The strings > may/may not be common, but in comparing commands which follow these strings > I've noticed some which seem down right malicious!
Just because it seems to be everywhere, doesn't mean it's malicious. Why did you assign "malicious" as the reason for it occurring everywhere? If you'd compiled a single program yourself with gcc, manually on the commandline, you would have seen the same symbols too. Even this really simple program: int main(int argc, char** argv) { return 0; }
> Maybe they're right, I'm just paranoid, but what am I seeing and why > are these strings so common across Linux distros binaries, esp. the > Jv (java?) reference? Please, any help?
First of all, using strings is not the best way to go about looking at binaries. objdump and the various ELF inspection tools would show that you were looking at a function named __gmon_start__ in the code. # readelf -s /usr/bin/bc |egrep 'Jv|gmon' Symbol table '.dynsym' contains 57 entries: Num: Value Size Type Bind Vis Ndx Name ... 5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 6: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses Weak-binding, undefined references to functions of said names. __gmon_start__: Grab yourself the glibc sources, and read the following files: glibc-${PV}/csu/gmon-start.c glibc-${PV}/sysdeps/generic/initfini.c In both cases, searching for "gmon_start" gmon_start is the entry point of profiling any program. _Jv_RegisterClasses: You'll need to dig into the GCC sources to understand this one. I wish GCC wouldn't pollute non-Java stuff with it, but it seems an unfortunate side-effect of having GCJ support, even if you don't use it. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@g.o GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85