Errors running "UNIX-System V" ELF executables [I've been
hacked!]
Boris Samorodov
bsam at ipt.ru
Sat Apr 14 18:40:27 UTC 2007
On Fri, 13 Apr 2007 14:51:18 -0600 Dan S. wrote:
> Hello to all,
> Hopefully someone can help me progress past a pair of "ELF Binary Type 0 not
> known" & "ELF Interpreter /compat/linux/lib/ld-linux.so.2 not found"
> errors.
Some steps may help you:
1. load linux.ko -- kernel part of linuxulator.
2. install linux base port (don't remember which one was with 4.6.x,
but try linux_base-8 then linux_base) -- user land part of
linuxulator;
3. brand the binary file (not a library or else!).
> Here is the background & problem, bullet point style:
> - I unfortunately had a hosted & jailed virtual server running FreeBSD
> 4.6.2 get broken into via a user account with a weak password. The intruder
> installed at least two binaries: /tmp/" "/miro (almost certainly a
> rootkit/backdoor) and /home/$hackeduser/" "/psybnc/psybnc (an IRC proxy).
> (Yes, this is a creaky old OS; I've been letting it sit
> dormant/mostly-unused and this is the price I pay for my lax sysadminning.)
> - The hosts were kind enough to provide me with a dump of the jailed server;
> I've now got a fairly minimal install of 4.6.2-RELEASE running under QEMU
> and, inside that, a jail for the image from the hosting providers.
> - The 'psybnc' binary definitely ran on the hosted virtual server; it
> creates a log file and its timestamp & contents were recent. I don't know if
> the 'miro' rootkit was successful or not. I'm crossing my fingers that it
> wasn't, and trying to investigate a bit what it does. "kldstat" on the
> hosted server didn't show any compatibility files up. (In particular, no '
> linux.ko'; I have loaded that module on the qemu version to see if I could
> get further.)
> - In my qemu freeBSD, under the jail, neither program runs either as root or
> as the hacked user:
> - $HOME/" "/psybnc/psybnc ----> 'ELF binary type "0" not known.' (note:
> this is with 'linux.ko' loaded)
That means that this (linux?) file is not branded.
You may test it with 'brandelf <the_file>'. The (binary!) file should
be branded as 'Linux' to let the FreeBSD system run the file with
linuxulator:
# brandelf -t Linux <the_file>
> - /tmp/" "/miro ---> "ELF interpreter /compat/linux/lib/ld-
> linux.so.2 not found"
That means that userland (linux base port from ports is not
installed).
> - /tmp/" "/miro, If I unload linux.ko : ----> 'ELF binary type "0" not
> known."
> - Oddly, both have the exact same (except for offsets) elf headers:
> ----- readelf -h /tmp/" "/miro ---------
> ELF Header:
> Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
> Class: ELF32
> Data: 2's complement, little endian
> Version: 1 (current)
> OS/ABI: UNIX - System V
Should be 'UNIX - Linux' so that FreeBSD recognises it and run with
the linuxulator.
> ABI Version: 0
> Type: EXEC (Executable file)
> Machine: Intel 80386
> Version: 0x1
> Entry point address: 0x8048b10
> Start of program headers: 52 (bytes into file)
> Start of section headers: 16944 (bytes into file)
> Flags: 0x0
> Size of this header: 52 (bytes)
> Size of program headers: 32 (bytes)
> Number of program headers: 6
> Size of section headers: 40 (bytes)
> Number of section headers: 30
> Section header string table index: 27
> ----- readelf -h $HOME/" "/psybnc/psybnc ------
> ELF Header:
> Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
> Class: ELF32
> Data: 2's complement, little endian
> Version: 1 (current)
> OS/ABI: UNIX - System V
> ABI Version: 0
> Type: EXEC (Executable file)
> Machine: Intel 80386
> Version: 0x1
> Entry point address: 0x8048100
> Start of program headers: 52 (bytes into file)
> Start of section headers: 1295400 (bytes into file)
> Flags: 0x0
> Size of this header: 52 (bytes)
> Size of program headers: 32 (bytes)
> Number of program headers: 4
> Size of section headers: 40 (bytes)
> Number of section headers: 22
> Section header string table index: 21
> =======================
> Any advice on how to try and get these to run? I'm really hoping to find out
> if the system as a whole was compromised by the rootkit. The user-acount
> breakin isn't a huge deal but if more was compromised it will be quite bad.
> I'm also happy to send the rootkit/backdoor to anyone who wants to poke at
> it. It contains the string: ".-= Backdoor made by Mironov =-."
WBR
--
Boris Samorodov (bsam)
Research Engineer, http://www.ipt.ru Telephone & Internet SP
FreeBSD committer, http://www.FreeBSD.org The Power To Serve
More information about the freebsd-questions
mailing list