Hi all, Thanks for the help :)
I managed to find out why these ELF executables were able to run in the hosted environment, but not in my recreated local one: " kern.fallback_elf_brand" was set to linux on my host's server and not set to anything on my own. Using brandelf on the executables had the same effect. The IRC proxy was statically compiled and thus seemed to run although it coredumped on me right away. However, the rootkit/backdoor that I was worried about seems to require ld-linux which, thankfully, was not present on the system at all so it did not seem to get too far. Cheers, -- Dan S. On 4/14/07, Boris Samorodov <[EMAIL PROTECTED]> wrote:
On Fri, 13 Apr 2007 14:51:18 -0600 Dan S. wrote: > Hello to all, > Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not > known" & "ELF Interpreter /compat/linux/lib/ld- linux.so.2 not found" > errors. Some steps may help you: 1. load linux.ko -- kernel part of linuxulator. 2. install linux base port (don't remember which one was with 4.6.x, but try linux_base-8 then linux_base) -- user land part of linuxulator; 3. brand the binary file (not a library or else!). > Here is the background & problem, bullet point style: > - I unfortunately had a hosted & jailed virtual server running FreeBSD > 4.6.2 get broken into via a user account with a weak password. The intruder > installed at least two binaries: /tmp/" "/miro (almost certainly a > rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy). > (Yes, this is a creaky old OS; I've been letting it sit > dormant/mostly-unused and this is the price I pay for my lax sysadminning.) > - The hosts were kind enough to provide me with a dump of the jailed server; > I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU > and, inside that, a jail for the image from the hosting providers. > - The 'psybnc' binary definitely ran on the hosted virtual server; it > creates a log file and its timestamp & contents were recent. I don't know if > the 'miro' rootkit was successful or not. I'm crossing my fingers that it > wasn't, and trying to investigate a bit what it does. "kldstat" on the > hosted server didn't show any compatibility files up. (In particular, no ' > linux.ko'; I have loaded that module on the qemu version to see if I could > get further.) > - In my qemu freeBSD, under the jail, neither program runs either as root or > as the hacked user: > - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note: > this is with 'linux.ko' loaded) That means that this (linux?) file is not branded. You may test it with 'brandelf <the_file>'. The (binary!) file should be branded as 'Linux' to let the FreeBSD system run the file with linuxulator: # brandelf -t Linux <the_file> > - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld- > linux.so.2 not found" That means that userland (linux base port from ports is not installed). > - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not > known." > - Oddly, both have the exact same (except for offsets) elf headers: > ----- readelf -h /tmp/" "/miro --------- > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V Should be 'UNIX - Linux' so that FreeBSD recognises it and run with the linuxulator. > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048b10 > Start of program headers: 52 (bytes into file) > Start of section headers: 16944 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 6 > Size of section headers: 40 (bytes) > Number of section headers: 30 > Section header string table index: 27 > ----- readelf -h $HOME/" "/psybnc/psybnc ------ > ELF Header: > Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 > Class: ELF32 > Data: 2's complement, little endian > Version: 1 (current) > OS/ABI: UNIX - System V > ABI Version: 0 > Type: EXEC (Executable file) > Machine: Intel 80386 > Version: 0x1 > Entry point address: 0x8048100 > Start of program headers: 52 (bytes into file) > Start of section headers: 1295400 (bytes into file) > Flags: 0x0 > Size of this header: 52 (bytes) > Size of program headers: 32 (bytes) > Number of program headers: 4 > Size of section headers: 40 (bytes) > Number of section headers: 22 > Section header string table index: 21 > ======================= > Any advice on how to try and get these to run? I'm really hoping to find out > if the system as a whole was compromised by the rootkit. The user-acount > breakin isn't a huge deal but if more was compromised it will be quite bad. > I'm also happy to send the rootkit/backdoor to anyone who wants to poke at > it. It contains the string: ".-= Backdoor made by Mironov =-." WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
