From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 18:40:27 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1196B16A402 for ; Sat, 14 Apr 2007 18:40:27 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82]) by mx1.freebsd.org (Postfix) with ESMTP id 9983313C45B for ; Sat, 14 Apr 2007 18:40:26 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from srv.sem.ipt.ru ([192.168.12.1] helo=ipt.ru) by mail.ipt.ru with esmtp (Exim 4.62 (FreeBSD)) (envelope-from ) id 1HcnAb-000Ez5-Ln; Sat, 14 Apr 2007 22:40:21 +0400 Received: from bsam by ipt.ru with local (Exim 4.63 (FreeBSD)) (envelope-from ) id 1HcnAs-00046r-1b; Sat, 14 Apr 2007 22:40:38 +0400 To: dan+lists@shoutis.org References: From: Boris Samorodov Date: Sat, 14 Apr 2007 22:40:38 +0400 In-Reply-To: (Dan S.'s message of "Fri, 13 Apr 2007 14:51:18 -0600") Message-ID: <22220873@srv.sem.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: Errors running "UNIX-System V" ELF executables [I've been hacked!] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 18:40:27 -0000 On Fri, 13 Apr 2007 14:51:18 -0600 Dan S. wrote: > Hello to all, > Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not > known" & "ELF Interpreter /compat/linux/lib/ld-linux.so.2 not found" > errors. Some steps may help you: 1. load linux.ko -- kernel part of linuxulator. 2. install linux base port (don't remember which one was with 4.6.x, but try linux_base-8 then linux_base) -- user land part of linuxulator; 3. brand the binary file (not a library or else!). > Here is the background & problem, bullet point style: > - I unfortunately had a hosted & jailed virtual server running FreeBSD > 4.6.2 get broken into via a user account with a weak password. The intruder > installed at least two binaries: /tmp/" "/miro (almost certainly a > rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy). > (Yes, this is a creaky old OS; I've been letting it sit > dormant/mostly-unused and this is the price I pay for my lax sysadminning.) > - The hosts were kind enough to provide me with a dump of the jailed server; > I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU > and, inside that, a jail for the image from the hosting providers. > - The 'psybnc' binary definitely ran on the hosted virtual server; it > creates a log file and its timestamp & contents were recent. I don't know if > the 'miro' rootkit was successful or not. I'm crossing my fingers that it > wasn't, and trying to investigate a bit what it does. "kldstat" on the > hosted server didn't show any compatibility files up. (In particular, no ' > linux.ko'; I have loaded that module on the qemu version to see if I could > get further.) > - In my qemu freeBSD, under the jail, neither program runs either as root or > as the hacked user: > - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note: > this is with 'linux.ko' loaded) That means that this (linux?) file is not branded. You may test it with 'brandelf '. The (binary!) file should be branded as 'Linux' to let the FreeBSD system run the file with linuxulator: # brandelf -t Linux > - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld- > linux.so.2 not found" That means that userland (linux base port from ports is not installed). > - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not > known." > - Oddly, both have the exact same (except for offsets) elf headers: > ----- readelf -h /tmp/" "/miro --------- > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V Should be 'UNIX - Linux' so that FreeBSD recognises it and run with the linuxulator. > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048b10 > Start of program headers: 52 (bytes into file) > Start of section headers: 16944 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 6 > Size of section headers: 40 (bytes) > Number of section headers: 30 > Section header string table index: 27 > ----- readelf -h $HOME/" "/psybnc/psybnc ------ > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048100 > Start of program headers: 52 (bytes into file) > Start of section headers: 1295400 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 4 > Size of section headers: 40 (bytes) > Number of section headers: 22 > Section header string table index: 21 > ======================= > Any advice on how to try and get these to run? I'm really hoping to find out > if the system as a whole was compromised by the rootkit. The user-acount > breakin isn't a huge deal but if more was compromised it will be quite bad. > I'm also happy to send the rootkit/backdoor to anyone who wants to poke at > it. It contains the string: ".-= Backdoor made by Mironov =-." WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve