[RndTbl] weird a.out in /var/log/httpd

Sean Walberg sean at ertw.com
Mon Jan 5 18:32:26 CST 2015 

Don't run ldd on a binary you don't trust [1]. I think the safer way is
objdump -p a.out | grep NEEDED.

Did you try "strings" to see what's in there? "nm" and "objdump" might give
some more info on the method names especially since it's been stripped.

Also, just for kicks, do an "lsof | grep deleted" to see if any processes
have some old files open that you can grab out of proc that the exploit
tried to delete but was held open.

[1] http://www.catonmat.net/blog/ldd-arbitrary-code-execution/


Sean

On Mon, Jan 5, 2015 at 5:56 PM, Adam Thompson <athompso at athompso.net> wrote:

> 1) Run it on a 32-bit livecd
> 2) ldd(1)
> Otherwise, look at the elftools (or something like that) package to get
> more info about the binary.
> Don't you run all your systems with selinux?
> -Adam
>
> On January 5, 2015 5:33:35 PM CST, Trevor Cordes <trevor at tecnopolis.ca>
> wrote:
>>
>> Uh oh.  Finding an a.out in your /var/log/httpd doesn't instill
>> a warm fuzzy feeling.
>>
>> I have ~ 4k a.out there dated Oct 12, which unfortunately is just past
>> my logrotate cutoff now, so I can't check access.log (drat) without
>> hitting the (hard to hit) backups.
>>
>> file a.out
>> a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
>> dynamically linked (uses shared libs), not stripped
>>
>> I fired up a live-cd linux with no disks or net attached to try to run
>> it (I put it on a usb stick).  But when I do *the shell* returns ENOENT
>> and won't run.  I tried ./a.out.  I tried moving it to a fs that
>> shouldn't be mounted noexec.  I tried strace a.out and strace ./a.out
>> and strace shows only the exec attempt and the error print and quit.
>>
>> Huh?  How can I get this thing to run?
>>
>> Anyway to see what it is doing?  Disassemble?  It is not stripped, so
>> gdb?  How can I ste!
>>  p-run it
>> from the start (ie nothing executes until I
>> step)?
>>
>> What else to do with this file?
>>
>> I'll see if I can dig up the access.log from that date and get more
>> details.
>> ------------------------------
>>
>> Roundtable mailing list
>> Roundtable at muug.mb.ca
>> http://www.muug.mb.ca/mailman/listinfo/roundtable
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
>


-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20150105/8eafe91e/attachment.html>

More information about the Roundtable mailing list