1 |
Hello, |
2 |
|
3 |
for some time know I realized files called "1" in my working directories. |
4 |
I could find out that they always appeared after I have issued a "su" command. |
5 |
So I tried to find out wether it could be a rootkit by running chkrootkit: |
6 |
|
7 |
jambalaia etc # chkrootkit | fgrep su |
8 |
Checking `su'... not infected |
9 |
|
10 |
Then I reinstalled the su command by "emerge sys-apps/shadow", after I did a "emerge rsync". |
11 |
|
12 |
The ls command showed me a newly created su command in the /bin directory. |
13 |
|
14 |
But nevertheless the su command creates files called "1". |
15 |
|
16 |
So I piped the output of "strace su" to a file and grepped for "open" and |
17 |
really it opens a file called "1" for writing with a "largefile" flag. |
18 |
|
19 |
Here is the most interesting part of the strace command. |
20 |
|
21 |
open("1", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3 |
22 |
fcntl64(0x1, 0x1, 0, 0x1) = 0 |
23 |
fcntl64(0x1, 0, 0xa, 0x1) = 10 |
24 |
fcntl64(0x1, 0x1, 0, 0xa) = 0 |
25 |
fcntl64(0xa, 0x2, 0x1, 0xa) = 0 |
26 |
dup2(3, 1) = 1 |
27 |
close(3) = 0 |
28 |
stat64("/etc/profile", {st_mode=S_IFREG|0644, st_size=757, ...}) = 0 |
29 |
open("/etc/profile", O_RDONLY|O_LARGEFILE) = 3 |
30 |
fstat64(3, {st_mode=S_IFREG|0644, st_size=757, ...}) = 0 |
31 |
read(3, "if [ -e \"/etc/profile.env\" ]\nthe"..., 757) = 757 |
32 |
close(3) = 0 |
33 |
|
34 |
|
35 |
Does anybody know why su behaves like this? For me it seems very strange ... |
36 |
|
37 |
I will attach the su binary and the strace logfile, |
38 |
|
39 |
|
40 |
Arno |
41 |
|
42 |
-- |
43 |
|
44 |
/\ ._._ _ \ /o||_ _ |._ _ |
45 |
/--\| | |(_) \/\/ ||| |(/_|| | | |
46 |
|
47 |
tel: +43 676 9263473 |
48 |
fax: +43 5252 6127 |
49 |
http: www.quirxi.com |
50 |
mail: arno.wilhelm(a)quirxi.com |