Don't run ldd on a binary you don't trust [1]. I think the safer way is objdump -p a.out | grep NEEDED.
Did you try "strings" to see what's in there? "nm" and "objdump" might give some more info on the method names especially since it's been stripped.
Also, just for kicks, do an "lsof | grep deleted" to see if any processes have some old files open that you can grab out of proc that the exploit tried to delete but was held open.
[1] http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
Sean
On Mon, Jan 5, 2015 at 5:56 PM, Adam Thompson athompso@athompso.net wrote:
- Run it on a 32-bit livecd
- ldd(1)
Otherwise, look at the elftools (or something like that) package to get more info about the binary. Don't you run all your systems with selinux? -Adam
On January 5, 2015 5:33:35 PM CST, Trevor Cordes trevor@tecnopolis.ca wrote:
Uh oh. Finding an a.out in your /var/log/httpd doesn't instill a warm fuzzy feeling.
I have ~ 4k a.out there dated Oct 12, which unfortunately is just past my logrotate cutoff now, so I can't check access.log (drat) without hitting the (hard to hit) backups.
file a.out a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
I fired up a live-cd linux with no disks or net attached to try to run it (I put it on a usb stick). But when I do *the shell* returns ENOENT and won't run. I tried ./a.out. I tried moving it to a fs that shouldn't be mounted noexec. I tried strace a.out and strace ./a.out and strace shows only the exec attempt and the error print and quit.
Huh? How can I get this thing to run?
Anyway to see what it is doing? Disassemble? It is not stripped, so gdb? How can I ste! p-run it from the start (ie nothing executes until I step)?
What else to do with this file?
I'll see if I can dig up the access.log from that date and get more details.
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable