Re: 2.4.18 fork & defunct child.

Re: 2.4.18 fork & defunct child.

[Keith Whyte]

Edgar Toernig wrote:

{ strace listing deleted, see 
http://marc.theaimsgroup.com/?l=linux-kernel&m=106905386725308&w=2 }

>That is not normal /bin/true behaviour.  Sure your system
>isn't hacked?  Give the -f option to ptrace to see what the
>forked process is trying to do...  Compare the size of
>/bin/true with a known-good one.
>
>Ciao, ET.
>

I'm not sure. I should be running tripwire or something, this is the 
only one of my systems that doesn't run such a thing, as i have the  
firewall locked down and have been busy.
But it is true i accidently did iptables -F and it was left that way for 
a few days.

But this happens with any program, not just /bin/true, also the 
/bin/true on the root and chroot systems are identical. and with much 
interest i discovered, that if i unmount /proc, the problem goes away. aggh.

that is why it is not exhibiting itself in the chroot system, - no /proc.

I also remember that when this first happen nearly a year ago, some 
"unix engineer" at the ISP said, oh yeah that's because something in the 
ext2 filesystem header is corrupted.. i don't quite remember what he 
said exactly, something  that sounded so far fetched that i ignored it. 
does that ring any bells with anyone?

please help, ug, i hate having a linux system that's not reliable. feels 
like having a pet that's in pain or something.

btw,
/lib/libc.so.6 -> libc-2.2.5.so

Keith

(i'm cross-posting here to gcc and admin in the hopes of finding someone 
who has seen this, thanks!)

Re: 2.4.18 fork & defunct child.

[Maciej Zenczykowski]

> { strace listing deleted, see 
> http://marc.theaimsgroup.com/?l=linux-kernel&m=106905386725308&w=2 }

well, I strace'd by glibc 2.3.2 system /bin/true and it doesn't fork and 
doesn't open proc (first place the two straces differ).  Maybe your 
libraries have been hacked - seems the most likely to me - if this is 
happening for all programs than the libc is likely bad...

I can't understand what it is opening /proc/.../exe for and I don't 
understand what the ///////// in there is for (I think more than 2 
consecutive slashes are illegal in POSIX, not sure though, never use more 
than 2 :) )

On a side note /bin/true should take up somewhere like 10 bytes asm code - 
what the hell is that thing doing more than exit(1) for? it shouldn't open 
any files at all... what a bad design (and true --help and true --version 
don't work anyway... duh!)

perhaps try ltrace'ing /bin/true and see what that prints out?

Cheers,
MaZe.

solution: 2.4.18 fork & defunct child.

[Keith Whyte]

Folks thanks to everyone who helped me out with this, I just found the 
file 982235016-gtkrc-429249277 in /tmp
It kept reappearing as it tried to rm * -r in /tmp and
a quick google search led me to find out where it came from.

A few weeks ago i installed a binary that i got from a friends machine, 
and i just checked his machine. It has the trojan also. that explains a 
lot. It was a realserver binary (no longer available for d/l)and i ran 
it once as root as it likes to listen on port 554, before I changed that 
config and set up a user to run it. aggh. so easy to let something slip 
through. never trust binaries... no matter where they come from.

Keith.