FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 12-16-2009, 10:12 PM
Werner Schram
 
Default gmonstart / jvregisterclasses in tons of binaries with commands, malware?

whereislibertyandjustice@Safe-mail.net wrote:
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
>
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses
>
> Followed by commands which differ within each binary.
>
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
> include the above two strings followed by commands, after I run an update
> the updated binaries suddenly contain the above two strings and other, what
> I believe to be, rogue strings. I've avoided the possible infection with an
> OpenBSD install, yet all the Linux installations and burned ISOs contain
> binaries with the above two strings followed by commands.
>
> Search using find within your bin and sbin directories for those two strings
> and see how many positives you find. Now use a text editor like vi or gedit
> and search through the gibberish, locate these strings and isolate the
> commands, if any, which follow them. Searching for gmonstart, gmon,
> registerclasses, jv, etc. variations of works. If you find results in your
> binaries, please copy/paste the commands following the gmonstart and
> jvregisterclasses strings so I may compare them to mine.
>
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
> different physical locations and found some CDs contained these strings
> in the binaries and one or two rare ones did not, but when installed/updated
> on a network connection the binaries replaced in the update process would
> show these strings!! These strings are not alone by themselves in the
> binaries they follow with commands with a @ mark before each command.
>
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
>
> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
>
>
$ cat test.c
#include <stdio.h>
int main() {
printf("hello world");
}
$ gcc test.c -o test
$ nm --undefined-only test
w _Jv_RegisterClasses
w __gmon_start__
U __libc_start_main@@GLIBC_2.2.5
U printf@@GLIBC_2.2.5

I'm pretty sure that my this application does nothing more than print
"hello world" on my screen.

Those symbols are added by gcc. If you want to know why, I think you
will find more help at the gcc mailing list:
http://gcc.gnu.org/ml/gcc/

Werner

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 12:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org