[RndTbl] weird a.out in /var/log/httpd

Adam Thompson athompso at athompso.net
Mon Jan 5 17:56:36 CST 2015


1) Run it on a 32-bit livecd
2) ldd(1)
Otherwise, look at the elftools (or something like that) package to get more info about the binary.
Don't you run all your systems with selinux?
-Adam

On January 5, 2015 5:33:35 PM CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>Uh oh.  Finding an a.out in your /var/log/httpd doesn't instill
>a warm fuzzy feeling.
>
>I have ~ 4k a.out there dated Oct 12, which unfortunately is just past
>my logrotate cutoff now, so I can't check access.log (drat) without
>hitting the (hard to hit) backups.
>
>file a.out 
>a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
>dynamically linked (uses shared libs), not stripped
>
>I fired up a live-cd linux with no disks or net attached to try to run
>it (I put it on a usb stick).  But when I do *the shell* returns ENOENT
>and won't run.  I tried ./a.out.  I tried moving it to a fs that
>shouldn't be mounted noexec.  I tried strace a.out and strace ./a.out
>and strace shows only the exec attempt and the error print and quit.
>
>Huh?  How can I get this thing to run?
>
>Anyway to see what it is doing?  Disassemble?  It is not stripped, so
>gdb?  How can I step-run it from the start (ie nothing executes until I
>step)?
>
>What else to do with this file?
>
>I'll see if I can dig up the access.log from that date and get more
>details.
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.mb.ca
>http://www.muug.mb.ca/mailman/listinfo/roundtable

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20150105/5675d45d/attachment.html>


More information about the Roundtable mailing list