From owner-freebsd-questions@FreeBSD.ORG Fri Apr 13 21:15:43 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4C4616A404 for ; Fri, 13 Apr 2007 21:15:43 +0000 (UTC) (envelope-from dan@shoutis.org) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.232]) by mx1.freebsd.org (Postfix) with ESMTP id 7E63313C4C2 for ; Fri, 13 Apr 2007 21:15:43 +0000 (UTC) (envelope-from dan@shoutis.org) Received: by nz-out-0506.google.com with SMTP id r28so858977nza for ; Fri, 13 Apr 2007 14:15:42 -0700 (PDT) Received: by 10.65.206.7 with SMTP id i7mr7092540qbq.1176497478564; Fri, 13 Apr 2007 13:51:18 -0700 (PDT) Received: by 10.65.222.9 with HTTP; Fri, 13 Apr 2007 13:51:18 -0700 (PDT) Message-ID: Date: Fri, 13 Apr 2007 14:51:18 -0600 From: "Dan S." Sender: dan@shoutis.org To: freebsd-questions@freebsd.org MIME-Version: 1.0 X-Google-Sender-Auth: d344d4efed29c261 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Errors running "UNIX-System V" ELF executables [I've been hacked!] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dan+lists@shoutis.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 21:15:43 -0000 Hello to all, Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not known" & "ELF Interpreter /compat/linux/lib/ld-linux.so.2 not found" errors. Here is the background & problem, bullet point style: - I unfortunately had a hosted & jailed virtual server running FreeBSD 4.6.2 get broken into via a user account with a weak password. The intruder installed at least two binaries: /tmp/" "/miro (almost certainly a rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy). (Yes, this is a creaky old OS; I've been letting it sit dormant/mostly-unused and this is the price I pay for my lax sysadminning.) - The hosts were kind enough to provide me with a dump of the jailed server; I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU and, inside that, a jail for the image from the hosting providers. - The 'psybnc' binary definitely ran on the hosted virtual server; it creates a log file and its timestamp & contents were recent. I don't know if the 'miro' rootkit was successful or not. I'm crossing my fingers that it wasn't, and trying to investigate a bit what it does. "kldstat" on the hosted server didn't show any compatibility files up. (In particular, no ' linux.ko'; I have loaded that module on the qemu version to see if I could get further.) - In my qemu freeBSD, under the jail, neither program runs either as root or as the hacked user: - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note: this is with 'linux.ko' loaded) - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld- linux.so.2 not found" - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not known." - Oddly, both have the exact same (except for offsets) elf headers: ----- readelf -h /tmp/" "/miro --------- ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048b10 Start of program headers: 52 (bytes into file) Start of section headers: 16944 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 6 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 ----- readelf -h $HOME/" "/psybnc/psybnc ------ ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048100 Start of program headers: 52 (bytes into file) Start of section headers: 1295400 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 4 Size of section headers: 40 (bytes) Number of section headers: 22 Section header string table index: 21 ======================= Any advice on how to try and get these to run? I'm really hoping to find out if the system as a whole was compromised by the rootkit. The user-acount breakin isn't a huge deal but if more was compromised it will be quite bad. I'm also happy to send the rootkit/backdoor to anyone who wants to poke at it. It contains the string: ".-= Backdoor made by Mironov =-." Thanks to all! -- Dan S.