Errors running "UNIX-System V" ELF executables [I've been
hacked!]
Dan S.
dan+lists at shoutis.org
Mon Apr 16 17:49:15 UTC 2007
Hi all,
Thanks for the help :)
I managed to find out why these ELF executables were able to run in the
hosted environment, but not in my recreated local one: "
kern.fallback_elf_brand" was set to linux on my host's server and not set to
anything on my own. Using brandelf on the executables had the same effect.
The IRC proxy was statically compiled and thus seemed to run although it
coredumped on me right away.
However, the rootkit/backdoor that I was worried about seems to require
ld-linux which, thankfully, was not present on the system at all so it did
not seem to get too far.
Cheers,
-- Dan S.
On 4/14/07, Boris Samorodov <bsam at ipt.ru> wrote:
>
> On Fri, 13 Apr 2007 14:51:18 -0600 Dan S. wrote:
>
> > Hello to all,
>
> > Hopefully someone can help me progress past a pair of "ELF Binary Type 0
> not
> > known" & "ELF Interpreter /compat/linux/lib/ld- linux.so.2 not found"
> > errors.
>
> Some steps may help you:
> 1. load linux.ko -- kernel part of linuxulator.
> 2. install linux base port (don't remember which one was with 4.6.x,
> but try linux_base-8 then linux_base) -- user land part of
> linuxulator;
> 3. brand the binary file (not a library or else!).
>
> > Here is the background & problem, bullet point style:
>
> > - I unfortunately had a hosted & jailed virtual server running FreeBSD
> > 4.6.2 get broken into via a user account with a weak password. The
> intruder
> > installed at least two binaries: /tmp/" "/miro (almost certainly a
> > rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC
> proxy).
> > (Yes, this is a creaky old OS; I've been letting it sit
> > dormant/mostly-unused and this is the price I pay for my lax
> sysadminning.)
>
> > - The hosts were kind enough to provide me with a dump of the jailed
> server;
> > I've now got a fairly minimal install of 4.6.2-RELEASE running under
> QEMU
> > and, inside that, a jail for the image from the hosting providers.
>
> > - The 'psybnc' binary definitely ran on the hosted virtual server; it
> > creates a log file and its timestamp & contents were recent. I don't
> know if
> > the 'miro' rootkit was successful or not. I'm crossing my fingers that
> it
> > wasn't, and trying to investigate a bit what it does. "kldstat" on the
> > hosted server didn't show any compatibility files up. (In particular, no
> '
> > linux.ko'; I have loaded that module on the qemu version to see if I
> could
> > get further.)
>
> > - In my qemu freeBSD, under the jail, neither program runs either as
> root or
> > as the hacked user:
> > - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note:
> > this is with 'linux.ko' loaded)
>
> That means that this (linux?) file is not branded.
>
> You may test it with 'brandelf <the_file>'. The (binary!) file should
> be branded as 'Linux' to let the FreeBSD system run the file with
> linuxulator:
> # brandelf -t Linux <the_file>
>
> > - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld-
> > linux.so.2 not found"
>
> That means that userland (linux base port from ports is not
> installed).
>
> > - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not
> > known."
>
> > - Oddly, both have the exact same (except for offsets) elf headers:
>
> > ----- readelf -h /tmp/" "/miro ---------
> > ELF Header:
> > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
> > Class: ELF32
> > Data: 2's complement, little endian
> > Version: 1 (current)
> > OS/ABI: UNIX - System V
>
> Should be 'UNIX - Linux' so that FreeBSD recognises it and run with
> the linuxulator.
>
> > ABI Version: 0
> > Type: EXEC (Executable file)
> > Machine: Intel 80386
> > Version: 0x1
> > Entry point address: 0x8048b10
> > Start of program headers: 52 (bytes into file)
> > Start of section headers: 16944 (bytes into file)
> > Flags: 0x0
> > Size of this header: 52 (bytes)
> > Size of program headers: 32 (bytes)
> > Number of program headers: 6
> > Size of section headers: 40 (bytes)
> > Number of section headers: 30
> > Section header string table index: 27
>
> > ----- readelf -h $HOME/" "/psybnc/psybnc ------
> > ELF Header:
> > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
> > Class: ELF32
> > Data: 2's complement, little endian
> > Version: 1 (current)
> > OS/ABI: UNIX - System V
> > ABI Version: 0
> > Type: EXEC (Executable file)
> > Machine: Intel 80386
> > Version: 0x1
> > Entry point address: 0x8048100
> > Start of program headers: 52 (bytes into file)
> > Start of section headers: 1295400 (bytes into file)
> > Flags: 0x0
> > Size of this header: 52 (bytes)
> > Size of program headers: 32 (bytes)
> > Number of program headers: 4
> > Size of section headers: 40 (bytes)
> > Number of section headers: 22
> > Section header string table index: 21
>
> > =======================
>
> > Any advice on how to try and get these to run? I'm really hoping to find
> out
> > if the system as a whole was compromised by the rootkit. The user-acount
> > breakin isn't a huge deal but if more was compromised it will be quite
> bad.
>
> > I'm also happy to send the rootkit/backdoor to anyone who wants to poke
> at
> > it. It contains the string: ".-= Backdoor made by Mironov =-."
>
>
> WBR
> --
> Boris Samorodov (bsam)
> Research Engineer, http://www.ipt.ru Telephone & Internet SP
> FreeBSD committer, http://www.FreeBSD.org The Power To Serve
>
More information about the freebsd-questions
mailing list