1 |
In linux binaries, in any linux distro, I've discovered the same strings |
2 |
which I believe may be due to a virus or trojan. |
3 |
|
4 |
Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. |
5 |
|
6 |
Whether I run 'strings' on the binary files or view with vim or gedit, here |
7 |
is what is always seen inside the binaries: |
8 |
|
9 |
|
10 |
__gmon_start__ |
11 |
_Jv_RegisterClasses |
12 |
|
13 |
Followed by commands which differ within each binary. |
14 |
|
15 |
If, by some luck, I've downloaded a fresh Linux ISO where binaries do not |
16 |
include the above two strings followed by commands, after I run an update |
17 |
the updated binaries suddenly contain the above two strings and other, what |
18 |
I believe to be, rogue strings. I've avoided the possible infection with an |
19 |
OpenBSD install, yet all the Linux installations and burned ISOs contain |
20 |
binaries with the above two strings followed by commands. |
21 |
|
22 |
Search using find within your bin and sbin directories for those two strings |
23 |
and see how many positives you find. Now use a text editor like vi or gedit |
24 |
and search through the gibberish, locate these strings and isolate the |
25 |
commands, if any, which follow them. Searching for gmonstart, gmon, |
26 |
registerclasses, jv, etc. variations of works. If you find results in your |
27 |
binaries, please copy/paste the commands following the gmonstart and |
28 |
jvregisterclasses strings so I may compare them to mine. |
29 |
|
30 |
I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from |
31 |
different physical locations and found some CDs contained these strings |
32 |
in the binaries and one or two rare ones did not, but when installed/updated |
33 |
on a network connection the binaries replaced in the update process would |
34 |
show these strings!! These strings are not alone by themselves in the |
35 |
binaries they follow with commands with a @ mark before each command. |
36 |
|
37 |
Google results are vague, some suggest shell backdoors, every Linux user |
38 |
I've asked to date calls me paranoid while at the same time this knowledge |
39 |
comes as a surprise to them, too, when they search their binaries and find |
40 |
the same strings. I'm amazed by how quickly some rush to judgement and call |
41 |
you a paranoid for being curious about the files on your system. The strings |
42 |
may/may not be common, but in comparing commands which follow these strings |
43 |
I've noticed some which seem down right malicious! |
44 |
|
45 |
Maybe they're right, I'm just paranoid, but what am I seeing and why |
46 |
are these strings so common across Linux distros binaries, esp. the |
47 |
Jv (java?) reference? Please, any help? |