Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Date: Thu, 17 Dec 2009 05:20:32 +0000
On Wed, Dec 16, 2009 at 09:06:04PM -0500, whereislibertyandjustice@... wrote:
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
Just because it seems to be everywhere, doesn't mean it's malicious.
Why did you assign "malicious" as the reason for it occurring everywhere?

If you'd compiled a single program yourself with gcc, manually on the
commandline, you would have seen the same symbols too.

Even this really simple program:
int main(int argc, char** argv) { return 0; }

> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
First of all, using strings is not the best way to go about looking at
binaries. objdump and the various ELF inspection tools would show that
you were looking at a function named __gmon_start__ in the code.

# readelf  -s /usr/bin/bc |egrep 'Jv|gmon'
Symbol table '.dynsym' contains 57 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
...
     5: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
     6: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _Jv_RegisterClasses

Weak-binding, undefined references to functions of said names.

__gmon_start__:
Grab yourself the glibc sources, and read the following files:
glibc-${PV}/csu/gmon-start.c
glibc-${PV}/sysdeps/generic/initfini.c
In both cases, searching for "gmon_start"

gmon_start is the entry point of profiling any program.

_Jv_RegisterClasses:
You'll need to dig into the GCC sources to understand this one.
I wish GCC wouldn't pollute non-Java stuff with it, but it seems an
unfortunate side-effect of having GCJ support, even if you don't use it.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Attachment:
pgpE3Wa3zkHWM.pgp (PGP signature)
References:
gmonstart / jvregisterclasses in tons of binaries with commands,malware?
-- whereislibertyandjustice
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Next by thread:
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Previous by date:
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Next by date:
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.