rootkit woes
) has been infected with zk. while i still can, i'm playing around to see what are the symptoms of itthe hacker left psybnc and 'mesh' running. what can 'mesh' be?
here's strace cat -h on a clean system:
Code:
hostname:~# strace cat -h
execve("/bin/cat", ["cat", "-h"], [/* 20 vars */]) = 0
uname({sys="Linux", node="hostname", ...}) = 0
brk(0) = 0x804b048
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19456, ...}) = 0
old_mmap(NULL, 19456, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\30\222"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1153784, ...}) = 0
old_mmap(NULL, 1166560, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000
mprotect(0x4012c000, 40160, PROT_NONE) = 0
old_mmap(0x4012c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x113000) = 0x4012c000
old_mmap(0x40132000, 15584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40132000
close(3) = 0
munmap(0x40014000, 19456) = 0
brk(0) = 0x804b048
brk(0x804b070) = 0x804b070
brk(0x804c000) = 0x804c000
write(2, "cat: invalid option -- h\n", 25cat: invalid option -- h
) = 25
write(2, "Try `cat --help\' for more inform"..., 39Try `cat --help' for more information.
) = 39
_exit(1) = ?
Code:
execve("/bin/cat", ["cat", "-h"], [/* 20 vars */]) = 0
uname({sys="Linux", node="debian", ...}) = 0
brk(0) = 0x804cd6c
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=17947, ...}) = 0
old_mmap(NULL, 17947, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40018000
close(5) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"..., 512) = 512
fstat64(5, {st_mode=S_IFREG|0644, st_size=1244004, ...}) = 0
old_mmap(NULL, 1254244, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x127000) = 0x40145000
old_mmap(0x4014d000, 9060, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(5) = 0
munmap(0x40018000, 17947) = 0
open("/proc/uptime", O_RDONLY) = 5
read(5, "7006730.55 6837114.24\n", 128) = 22
close(5) = 0
getpid() = 8076
getpid() = 8076
open("/proc/8076/exe", O_RDONLY) = 5
read(5, "\177ELF\1\1\1\0\0\0\2\0xP\0\0\2\0\3\0\1\0\0\0-\272\4\010"..., 52) = 52
lseek(5, 20600, SEEK_SET) = 20600
fstat(5, {st_mode=S_IFREG|0755, st_size=25263, ...}) = 0
brk(0) = 0x804cd6c
brk(0x804dfa3) = 0x804dfa3
read(5, "\351\337\21\0\0\215v\0U\211\345\213D$\10\315\200\311\303"..., 4663) = 4663
close(5) = 0
signal(SIGCHLD, SIG_IGN) = 0x1 (SIG_IGN)
getpid() = 8076
pipe([5, 6]) = 0
fork() = 8077
--- SIGCHLD (Child exited) ---
read(5, "\376", 1) = 1
brk(0) = 0x804dfa3
brk(0x806efa3) = 0x806efa3
brk(0) = 0x806efa3
brk(0x806f000) = 0x806f000
write(2, "cat: invalid option -- h\n", 25cat: invalid option -- h
) = 25
write(2, "Try `cat --help\' for more inform"..., 39Try `cat --help' for more information.
) = 39
semget(1, 0, 0) = -1 ENOSYS (Function not implemented)
_exit(1) = ?
