1 |
On Wed, Dec 16, 2009 at 9:01 PM, |
2 |
<whereislibertyandjustice@×××××××××.net> wrote: |
3 |
> In linux binaries, in any linux distro, I've discovered the same strings |
4 |
> which I believe may be due to a virus or trojan. |
5 |
> |
6 |
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. |
7 |
> |
8 |
> Whether I run 'strings' on the binary files or view with vim or gedit, here |
9 |
> is what is always seen inside the binaries: |
10 |
> |
11 |
> |
12 |
> __gmon_start__ |
13 |
|
14 |
http://lists.debian.org/debian-arm/2001/03/msg00034.html |
15 |
|
16 |
poison@chicane /data/distfiles $ /lib/libc.so.6 --version |
17 |
GNU C Library stable release version 2.9, by Roland McGrath et al. |
18 |
<snip> |
19 |
|
20 |
hmm... it could be an issue, I suppose... but given I'm on a version |
21 |
of glibc far newer than the 2.1 to 2.2 transition that caused issues |
22 |
regarding that relocation, according to the mail referenced above... I |
23 |
think I'm safe, don't you? And... that's on my x86 *stable* system. |
24 |
|
25 |
> _Jv_RegisterClasses |
26 |
> |
27 |
|
28 |
http://gcc.gnu.org/ml/gcc/2002-06/msg00112.html |
29 |
|
30 |
> Followed by commands which differ within each binary. |
31 |
> |
32 |
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not |
33 |
> include the above two strings followed by commands, after I run an update |
34 |
> the updated binaries suddenly contain the above two strings and other, what |
35 |
> I believe to be, rogue strings. I've avoided the possible infection with an |
36 |
> OpenBSD install, yet all the Linux installations and burned ISOs contain |
37 |
> binaries with the above two strings followed by commands. |
38 |
> |
39 |
> Search using find within your bin and sbin directories for those two strings |
40 |
> and see how many positives you find. Now use a text editor like vi or gedit |
41 |
> and search through the gibberish, locate these strings and isolate the |
42 |
> commands, if any, which follow them. Searching for gmonstart, gmon, |
43 |
> registerclasses, jv, etc. variations of works. If you find results in your |
44 |
> binaries, please copy/paste the commands following the gmonstart and |
45 |
> jvregisterclasses strings so I may compare them to mine. |
46 |
> |
47 |
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from |
48 |
> different physical locations and found some CDs contained these strings |
49 |
> in the binaries and one or two rare ones did not, but when installed/updated |
50 |
> on a network connection the binaries replaced in the update process would |
51 |
> show these strings!! These strings are not alone by themselves in the |
52 |
> binaries they follow with commands with a @ mark before each command. |
53 |
> |
54 |
> Google results are vague, some suggest shell backdoors, every Linux user |
55 |
> I've asked to date calls me paranoid while at the same time this knowledge |
56 |
> comes as a surprise to them, too, when they search their binaries and find |
57 |
> the same strings. I'm amazed by how quickly some rush to judgement and call |
58 |
> you a paranoid for being curious about the files on your system. The strings |
59 |
> may/may not be common, but in comparing commands which follow these strings |
60 |
> I've noticed some which seem down right malicious! |
61 |
> |
62 |
> Maybe they're right, I'm just paranoid, but what am I seeing and why |
63 |
> are these strings so common across Linux distros binaries, esp. the |
64 |
> Jv (java?) reference? Please, any help? |
65 |
> |
66 |
|
67 |
They're so common because they're binaries compiled with the same |
68 |
compiler against the same libc implementation, for the most part, and |
69 |
there will *always* be very similar strings resulting from BOTH of |
70 |
those states across anything they've had a hand in. Yes, of course, |
71 |
it's reasonable to be security concious, but both of the links I found |
72 |
for those strings are first page on Google. There's also the confusing |
73 |
fact that you look so heavily at the binaries while failing to take a |
74 |
look at the things that would be sensible reasons for the same strings |
75 |
between them... and grep is your friend if you're going to do any |
76 |
sensible auditing... |
77 |
|
78 |
you have... |
79 |
1) Their own source code (may or may not have a reference) |
80 |
2) Toolchain (and, really, it's the source code for these you'll want |
81 |
to look through) |
82 |
2a) Compiler -> gcc suite |
83 |
2b) Linker -> ld from binutils |
84 |
2c) Assembler -> Also binutils |
85 |
3) Libraries -> Anything *all* of them link to. ldd is an amazingly |
86 |
handy tool... |
87 |
3a) libc.so.6 -> glibc |
88 |
3b) linux-gate.so.1 -> part of the the kernel (not a real file on the system) |
89 |
3c) /lib/ld-linux.so.2 -> runtime component for the linker (which |
90 |
would be ld from binutils) |
91 |
|
92 |
And... when your own phrasing of things shows you don't even know |
93 |
*what* these two strings you found *do* or are *really* related to... |
94 |
cross posting to gentoo-security is really not necessary, though I |
95 |
can't guarantee the actual security experts on that list would |
96 |
agree... I get that feeling. |
97 |
|
98 |
-- |
99 |
Poison [BLX] |
100 |
Joshua M. Murphy |