[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Anyone seen /lib/libaux.so.1?

On 27/07/11 23:37, Roar � wrote:
> Hi
> I'm sure this lib does not originate from debian, but have anyone seen it
> in their system? (Found it in one of mine)
> It is loaded with ld.so.preload.
> Interesting finds with nm -D
> 00000d34 T accept
> 00000ded T read
> 00001188 B real_accept
> 00001184 B real_read
>          U execl
>          U exit
>          U fork
> And with strings:
> HISTFILE=/dev/null
> /bin/sh
> /bin/bash
> Md5sum 66be3040457da0b9b9ebe767ca6bd76f  /tmp/libaux.so.1
> I found no useful google hits for it, but I think I should have.
> Is this one known, presumably by some other name?
> Does anyone want it to look at?
Not on any of my systems - but I found 30 hits for in on the tubes,
mostly for Ubuntu, but some for avahi in Debian.


It could be part of root kit...

How big is it?
Any interesting file times? Do they match retrieval times for any emails
with big obscured hexadecimal strings in them? Any recent downloads (or
attempts) from german sites in your logs after those times?
What happens if you change the HIST output to somewhere loggable and
reboot, (with network disconnected)? Try creating a file called suss in
/var, change the HIST output there (/var/suss)

Cheers (and good luck)

Supreme Court says pornography is anything without artistic merit that
causes sexual thoughts, that's their definition, essentially. No
artistic merit, causes sexual thoughts. Hmm... Sounds like...every
commercial on television, doesn't it? You know, when I see those two
twins on that Doublemint commercial? I'm not thinking of gum. I am
thinking of chewing, so maybe that's the connection they're trying to make.

Reply to: