We originally found that we got this while updating: Perl complaining "Can't ignore signal CHLD, forcing to default" After trying a few different shells and subshells as described on the group, we started writing pieces of code to decipher this. gzip turned out to be the key. When running this code: #include<signal.h> int main(int argc, char *argv[]) { struct sigaction old_action, new_action; new_action.sa_handler = SIG_IGN; old_action.sa_handler = SIG_DFL; sigaction(SIGINT, &new_action, &old_action); return 0; } The strace should be as follows (known good system) as both a user and root: execve("./mike-sigaction", ["./mike-sigaction"], [/* 16 vars */]) = 0 uname({sys="Linux", node="bard", ...}) = 0 brk(0) = 0x80495dc old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=20735, ...}) = 0 old_mmap(NULL, 20735, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=1244004, ...}) = 0 old_mmap(NULL, 1254244, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4001e000 old_mmap(0x40146000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x127000) = 0x40146000 old_mmap(0x4014e000, 9060, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014e000 close(3) munmap(0x40018000, 20735) = 0 rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0 exit_group(0) Instead, we got this as a local user: execve("./mike-sigaction", ["./mike-sigaction"], [/* 13 vars */]) = 0 uname({sys="Linux", node="capitalzero.net", ...}) = 0 brk(0) = 0x8049678 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0 old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0 old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4001d000 old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x127000) = 0x40145000 old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000 close(3) = 0 munmap(0x40018000, 20017) = 0 fork() = 919 rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0 semget(IPC_PRIVATE, 0, 0) = -1 ENOSYS (Function not implemented) _exit(0) = ? Notice the fork and the semget near the bottom. As root it becomes more clear: uname({sys="Linux", node="capitalzero.net", ...}) = 0 brk(0) = 0x8049678 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 5 fstat64(5, {st_mode=S_IFREG|0644, st_size=20017, ...}) = 0 old_mmap(NULL, 20017, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40018000 close(5) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 5 read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"..., 512) = 512 fstat64(5, {st_mode=S_IFREG|0644, st_size=1243856, ...}) = 0 old_mmap(NULL, 1254020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4001d000 old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x127000) = 0x40145000 old_mmap(0x4014d000, 8836, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000 close(5) = 0 munmap(0x40018000, 20017) = 0 open("/proc/uptime", O_RDONLY) = 5 read(5, "11928.65 3908.37\n", 128) = 17 close(5) = 0 getpid() = 9278 getpid() = 9278 open("/proc/9278/exe", O_RDONLY) = 5 read(5, "\177ELF\1\1\1\0\0\0\2\0\312@\0\0\2\0\3\0\1\0\0\0T\205\4"..., 52) = 52 lseek(5, 16586, SEEK_SET) = 16586 fstat(5, {st_mode=S_IFREG|0755, st_size=21249, ...}) = 0 brk(0) = 0x8049678 brk(0x804a8af) = 0x804a8af read(5, "\351\337\21\0\0\215v\0U\211\345\213D$\10\315\200\311\303"..., 4663) = 4663 close(5) = 0 signal(SIGCHLD, SIG_IGN) = 0 (SIG_DFL) getpid() = 9278 pipe([5, 6]) = 0 fork() = 9281 --- SIGCHLD (Child exited) --- read(5, "\376", 1) = 1 rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0 semget(IPC_PRIVATE, 0, 0) = -1 ENOSYS (Function not implemented) _exit(0) = ? Also, /bin/gzip's timestamp changes constantly and stripping /bin/gzip causes the file to increase in size continually. It looks like it's appending it's own code over and over. Reinstalling gzip causes the gzip to be updated immediately. dd bs=1 skip=49320 if=gzip of=tmp.gzip will show the appended code. Interestingly a portion of the hexdump matches the hexdump from mydoom.a. http://www.css-auth.com/mydoom.a/ has information on that and the hexdump is available as a link off that page. The code matches up at around 0002070. Look for 0000 0000 3096 7707 612c ee0e 51ba 9909. Our hex dump is at http://www.crackfiend.org/hack/trojan/ in the appended-code.hex file. It matches around 0000600. I'm not sure what significance this has, but it's certainly strange. Possibly just a payload. Also, there's a socket open. UDP port 3049 in our case. So this seems to be a rootkit, not a bug. I would suggest that anyone with this issue check into it. Please email if you have any questions. Mike Nugent <wildcard@illuminatus.org> Pete Lypkie <plypkie@sfu.ca> -- Mike Nugent Programmer/Author/Unix Expert mike@illuminatus.org "I believe the use of noise to make music will increase until we reach a music produced through the aid of electrical instruments which will make available for musical purposes any and all sounds that can be heard." -- composer John Cage, 1937
Attachment:
signature.asc
Description: This is a digitally signed message part