Date: Sat, 14 Apr 2007 22:40:38 +0400 From: Boris Samorodov <bsam@ipt.ru> To: dan+lists@shoutis.org Cc: freebsd-questions@freebsd.org Subject: Re: Errors running "UNIX-System V" ELF executables [I've been hacked!] Message-ID: <22220873@srv.sem.ipt.ru> In-Reply-To: <ad87c80a0704131351l6444ddc9m6bcb4fc39bba70be@mail.gmail.com> (Dan S.'s message of "Fri, 13 Apr 2007 14:51:18 -0600") References: <ad87c80a0704131351l6444ddc9m6bcb4fc39bba70be@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Apr 2007 14:51:18 -0600 Dan S. wrote: > Hello to all, > Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not > known" & "ELF Interpreter /compat/linux/lib/ld-linux.so.2 not found" > errors. Some steps may help you: 1. load linux.ko -- kernel part of linuxulator. 2. install linux base port (don't remember which one was with 4.6.x, but try linux_base-8 then linux_base) -- user land part of linuxulator; 3. brand the binary file (not a library or else!). > Here is the background & problem, bullet point style: > - I unfortunately had a hosted & jailed virtual server running FreeBSD > 4.6.2 get broken into via a user account with a weak password. The intruder > installed at least two binaries: /tmp/" "/miro (almost certainly a > rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy). > (Yes, this is a creaky old OS; I've been letting it sit > dormant/mostly-unused and this is the price I pay for my lax sysadminning.) > - The hosts were kind enough to provide me with a dump of the jailed server; > I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU > and, inside that, a jail for the image from the hosting providers. > - The 'psybnc' binary definitely ran on the hosted virtual server; it > creates a log file and its timestamp & contents were recent. I don't know if > the 'miro' rootkit was successful or not. I'm crossing my fingers that it > wasn't, and trying to investigate a bit what it does. "kldstat" on the > hosted server didn't show any compatibility files up. (In particular, no ' > linux.ko'; I have loaded that module on the qemu version to see if I could > get further.) > - In my qemu freeBSD, under the jail, neither program runs either as root or > as the hacked user: > - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note: > this is with 'linux.ko' loaded) That means that this (linux?) file is not branded. You may test it with 'brandelf <the_file>'. The (binary!) file should be branded as 'Linux' to let the FreeBSD system run the file with linuxulator: # brandelf -t Linux <the_file> > - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld- > linux.so.2 not found" That means that userland (linux base port from ports is not installed). > - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not > known." > - Oddly, both have the exact same (except for offsets) elf headers: > ----- readelf -h /tmp/" "/miro --------- > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V Should be 'UNIX - Linux' so that FreeBSD recognises it and run with the linuxulator. > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048b10 > Start of program headers: 52 (bytes into file) > Start of section headers: 16944 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 6 > Size of section headers: 40 (bytes) > Number of section headers: 30 > Section header string table index: 27 > ----- readelf -h $HOME/" "/psybnc/psybnc ------ > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048100 > Start of program headers: 52 (bytes into file) > Start of section headers: 1295400 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 4 > Size of section headers: 40 (bytes) > Number of section headers: 22 > Section header string table index: 21 > ======================= > Any advice on how to try and get these to run? I'm really hoping to find out > if the system as a whole was compromised by the rootkit. The user-acount > breakin isn't a huge deal but if more was compromised it will be quite bad. > I'm also happy to send the rootkit/backdoor to anyone who wants to poke at > it. It contains the string: ".-= Backdoor made by Mironov =-." WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22220873>