| 1 |
On Wed, Dec 16, 2009 at 9:01 PM, |
| 2 |
<whereislibertyandjustice@×××××××××.net> wrote: |
| 3 |
> In linux binaries, in any linux distro, I've discovered the same strings |
| 4 |
> which I believe may be due to a virus or trojan. |
| 5 |
> |
| 6 |
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. |
| 7 |
> |
| 8 |
> Whether I run 'strings' on the binary files or view with vim or gedit, here |
| 9 |
> is what is always seen inside the binaries: |
| 10 |
> |
| 11 |
> |
| 12 |
> __gmon_start__ |
| 13 |
|
| 14 |
http://lists.debian.org/debian-arm/2001/03/msg00034.html |
| 15 |
|
| 16 |
poison@chicane /data/distfiles $ /lib/libc.so.6 --version |
| 17 |
GNU C Library stable release version 2.9, by Roland McGrath et al. |
| 18 |
<snip> |
| 19 |
|
| 20 |
hmm... it could be an issue, I suppose... but given I'm on a version |
| 21 |
of glibc far newer than the 2.1 to 2.2 transition that caused issues |
| 22 |
regarding that relocation, according to the mail referenced above... I |
| 23 |
think I'm safe, don't you? And... that's on my x86 *stable* system. |
| 24 |
|
| 25 |
> _Jv_RegisterClasses |
| 26 |
> |
| 27 |
|
| 28 |
http://gcc.gnu.org/ml/gcc/2002-06/msg00112.html |
| 29 |
|
| 30 |
> Followed by commands which differ within each binary. |
| 31 |
> |
| 32 |
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not |
| 33 |
> include the above two strings followed by commands, after I run an update |
| 34 |
> the updated binaries suddenly contain the above two strings and other, what |
| 35 |
> I believe to be, rogue strings. I've avoided the possible infection with an |
| 36 |
> OpenBSD install, yet all the Linux installations and burned ISOs contain |
| 37 |
> binaries with the above two strings followed by commands. |
| 38 |
> |
| 39 |
> Search using find within your bin and sbin directories for those two strings |
| 40 |
> and see how many positives you find. Now use a text editor like vi or gedit |
| 41 |
> and search through the gibberish, locate these strings and isolate the |
| 42 |
> commands, if any, which follow them. Searching for gmonstart, gmon, |
| 43 |
> registerclasses, jv, etc. variations of works. If you find results in your |
| 44 |
> binaries, please copy/paste the commands following the gmonstart and |
| 45 |
> jvregisterclasses strings so I may compare them to mine. |
| 46 |
> |
| 47 |
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from |
| 48 |
> different physical locations and found some CDs contained these strings |
| 49 |
> in the binaries and one or two rare ones did not, but when installed/updated |
| 50 |
> on a network connection the binaries replaced in the update process would |
| 51 |
> show these strings!! These strings are not alone by themselves in the |
| 52 |
> binaries they follow with commands with a @ mark before each command. |
| 53 |
> |
| 54 |
> Google results are vague, some suggest shell backdoors, every Linux user |
| 55 |
> I've asked to date calls me paranoid while at the same time this knowledge |
| 56 |
> comes as a surprise to them, too, when they search their binaries and find |
| 57 |
> the same strings. I'm amazed by how quickly some rush to judgement and call |
| 58 |
> you a paranoid for being curious about the files on your system. The strings |
| 59 |
> may/may not be common, but in comparing commands which follow these strings |
| 60 |
> I've noticed some which seem down right malicious! |
| 61 |
> |
| 62 |
> Maybe they're right, I'm just paranoid, but what am I seeing and why |
| 63 |
> are these strings so common across Linux distros binaries, esp. the |
| 64 |
> Jv (java?) reference? Please, any help? |
| 65 |
> |
| 66 |
|
| 67 |
They're so common because they're binaries compiled with the same |
| 68 |
compiler against the same libc implementation, for the most part, and |
| 69 |
there will *always* be very similar strings resulting from BOTH of |
| 70 |
those states across anything they've had a hand in. Yes, of course, |
| 71 |
it's reasonable to be security concious, but both of the links I found |
| 72 |
for those strings are first page on Google. There's also the confusing |
| 73 |
fact that you look so heavily at the binaries while failing to take a |
| 74 |
look at the things that would be sensible reasons for the same strings |
| 75 |
between them... and grep is your friend if you're going to do any |
| 76 |
sensible auditing... |
| 77 |
|
| 78 |
you have... |
| 79 |
1) Their own source code (may or may not have a reference) |
| 80 |
2) Toolchain (and, really, it's the source code for these you'll want |
| 81 |
to look through) |
| 82 |
2a) Compiler -> gcc suite |
| 83 |
2b) Linker -> ld from binutils |
| 84 |
2c) Assembler -> Also binutils |
| 85 |
3) Libraries -> Anything *all* of them link to. ldd is an amazingly |
| 86 |
handy tool... |
| 87 |
3a) libc.so.6 -> glibc |
| 88 |
3b) linux-gate.so.1 -> part of the the kernel (not a real file on the system) |
| 89 |
3c) /lib/ld-linux.so.2 -> runtime component for the linker (which |
| 90 |
would be ld from binutils) |
| 91 |
|
| 92 |
And... when your own phrasing of things shows you don't even know |
| 93 |
*what* these two strings you found *do* or are *really* related to... |
| 94 |
cross posting to gentoo-security is really not necessary, though I |
| 95 |
can't guarantee the actual security experts on that list would |
| 96 |
agree... I get that feeling. |
| 97 |
|
| 98 |
-- |
| 99 |
Poison [BLX] |
| 100 |
Joshua M. Murphy |
Archives