Bug#199653: debian bugs 199653 and 206187

To: 199653@bugs.debian.org
Subject: Bug#199653: debian bugs 199653 and 206187
From: Mike Nugent <mike@illuminatus.org>
Date: Wed, 07 Jul 2004 01:07:11 -0700
Message-id: <[🔎] 1089187630.5071.41.camel@templar.illuminatus.org>
Reply-to: Mike Nugent <mike@illuminatus.org>, 199653@bugs.debian.org
We originally found that we got this while updating:
Perl complaining "Can't ignore signal CHLD, forcing to default"

After trying a few different shells and subshells as described on the
group, we started writing pieces of code to decipher this.  gzip turned
out to be the key.

When running this code:
#include<signal.h>

int main(int argc, char *argv[]) {
  struct sigaction old_action, new_action;

  new_action.sa_handler = SIG_IGN;
  old_action.sa_handler = SIG_DFL;

  sigaction(SIGINT, &new_action, &old_action);
  return 0;
}

The strace should be as follows (known good system) as both a user and
root:
execve("./mike-sigaction", ["./mike-sigaction"], [/* 16 vars */]) = 0
uname({sys="Linux", node="bard", ...})  = 0
brk(0)                                  = 0x80495dc
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=20735, ...}) = 0
old_mmap(NULL, 20735, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1244004, ...}) = 0
old_mmap(NULL, 1254244, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x4001e000
old_mmap(0x40146000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x127000) = 0x40146000
old_mmap(0x4014e000, 9060, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014e000
close(3)
munmap(0x40018000, 20735)               = 0
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
exit_group(0)

Instead, we got this as a local user:
execve("./mike-sigaction", ["./mike-sigaction"], [/* 13 vars */]) = 0
uname({sys="Linux", node="capitalzero.net", ...}) = 0
brk(0)                                  = 0x8049678
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0
old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0
old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x127000) = 0x40145000
old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(3)                                = 0
munmap(0x40018000, 20017)               = 0
fork()                                  = 919
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
semget(IPC_PRIVATE, 0, 0)               = -1 ENOSYS (Function not
implemented)
_exit(0)                                = ?

Notice the fork and the semget near the bottom.  As root it becomes more
clear:
uname({sys="Linux", node="capitalzero.net", ...}) = 0
brk(0)                                  = 0x8049678
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0
old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40018000
close(5)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"...,
512) = 512
fstat64(5, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0
old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) =
0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
5, 0x127000) = 0x40145000
old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(5)                                = 0
munmap(0x40018000, 20017)               = 0
open("/proc/uptime", O_RDONLY)          = 5
read(5, "11928.65 3908.37\n", 128)      = 17       
close(5)                                = 0
getpid()                                = 9278
getpid()                                = 9278
open("/proc/9278/exe", O_RDONLY)        = 5
read(5, "\177ELF\1\1\1\0\0\0\2\0\312@\0\0\2\0\3\0\1\0\0\0T\205\4"...,
52) = 52
lseek(5, 16586, SEEK_SET)               = 16586
fstat(5, {st_mode=S_IFREG|0755, st_size=21249, ...}) = 0
brk(0)                                  = 0x8049678
brk(0x804a8af)                          = 0x804a8af
read(5, "\351\337\21\0\0\215v\0U\211\345\213D$\10\315\200\311\303"...,
4663) = 4663
close(5)                                = 0
signal(SIGCHLD, SIG_IGN)                = 0 (SIG_DFL)
getpid()                                = 9278
pipe([5, 6])                            = 0
fork()                                  = 9281
--- SIGCHLD (Child exited) ---
read(5, "\376", 1)                      = 1
rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
semget(IPC_PRIVATE, 0, 0)               = -1 ENOSYS (Function not
implemented)
_exit(0)                                = ?

Also, /bin/gzip's timestamp changes constantly and stripping /bin/gzip
causes the file to increase in size continually.  It looks like it's
appending it's own code over and over.  Reinstalling gzip causes the
gzip to be updated immediately.

dd bs=1 skip=49320 if=gzip of=tmp.gzip will show the appended code. 
Interestingly a portion of the hexdump matches the hexdump from
mydoom.a.  http://www.css-auth.com/mydoom.a/ has information on that and
the hexdump is available as a link off that page.  The code matches up
at around 0002070.  Look for 0000 0000 3096 7707 612c ee0e 51ba 9909. 
Our hex dump is at http://www.crackfiend.org/hack/trojan/ in the
appended-code.hex file.  It matches around 0000600.  I'm not sure what
significance this has, but it's certainly strange.  Possibly just a
payload.

Also, there's a socket open.  UDP port 3049 in our case.

So this seems to be a rootkit, not a bug.  I would suggest that anyone
with this issue check into it.

Please email if you have any questions.

Mike Nugent <wildcard@illuminatus.org>
Pete Lypkie <plypkie@sfu.ca>

-- 
Mike Nugent
Programmer/Author/Unix Expert
mike@illuminatus.org
"I believe the use of noise to make music will increase
until we reach a music produced through the aid of
electrical instruments which will make available for
musical purposes any and all sounds that can be heard."
 -- composer John Cage, 1937
Attachment: signature.asc
Description: This is a digitally signed message part
Reply to:
Prev by Date: Re: Official position on POSIX compliance?
Next by Date: Re: keyboard autodetection
Previous by thread: Re: Bug#258000: O: lletters -- GTK letters-learning game for small children
Next by thread: Dan Weber, please stop filing RC bug reports without even minimal testing
Index(es):
- Date
- Thread