Date: Fri, 13 Apr 2007 14:51:18 -0600 From: "Dan S." <dan+lists@shoutis.org> To: freebsd-questions@freebsd.org Subject: Errors running "UNIX-System V" ELF executables [I've been hacked!] Message-ID: <ad87c80a0704131351l6444ddc9m6bcb4fc39bba70be@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello to all, Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not known" & "ELF Interpreter /compat/linux/lib/ld-linux.so.2 not found" errors. Here is the background & problem, bullet point style: - I unfortunately had a hosted & jailed virtual server running FreeBSD 4.6.2 get broken into via a user account with a weak password. The intruder installed at least two binaries: /tmp/" "/miro (almost certainly a rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy). (Yes, this is a creaky old OS; I've been letting it sit dormant/mostly-unused and this is the price I pay for my lax sysadminning.) - The hosts were kind enough to provide me with a dump of the jailed server; I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU and, inside that, a jail for the image from the hosting providers. - The 'psybnc' binary definitely ran on the hosted virtual server; it creates a log file and its timestamp & contents were recent. I don't know if the 'miro' rootkit was successful or not. I'm crossing my fingers that it wasn't, and trying to investigate a bit what it does. "kldstat" on the hosted server didn't show any compatibility files up. (In particular, no ' linux.ko'; I have loaded that module on the qemu version to see if I could get further.) - In my qemu freeBSD, under the jail, neither program runs either as root or as the hacked user: - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note: this is with 'linux.ko' loaded) - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld- linux.so.2 not found" - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not known." - Oddly, both have the exact same (except for offsets) elf headers: ----- readelf -h /tmp/" "/miro --------- ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048b10 Start of program headers: 52 (bytes into file) Start of section headers: 16944 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 6 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 ----- readelf -h $HOME/" "/psybnc/psybnc ------ ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048100 Start of program headers: 52 (bytes into file) Start of section headers: 1295400 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 4 Size of section headers: 40 (bytes) Number of section headers: 22 Section header string table index: 21 ======================= Any advice on how to try and get these to run? I'm really hoping to find out if the system as a whole was compromised by the rootkit. The user-acount breakin isn't a huge deal but if more was compromised it will be quite bad. I'm also happy to send the rootkit/backdoor to anyone who wants to poke at it. It contains the string: ".-= Backdoor made by Mironov =-." Thanks to all! -- Dan S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad87c80a0704131351l6444ddc9m6bcb4fc39bba70be>