Hi all,

Today I noticed an a.out executable file in my user home directory. I checked it with ghex and has bash strings. Size is a bit less than /bin/bash and buildId as reported by 'file' is the same for both files.

File date is 2013-01-23, and I'm sure I haven't compiled bash in this machine ever :)

dpkg -S a.out only reports header files

I have ubuntu 12.04 updated with the latest security updates.

I uploaded the file to virustotal.com with no detections so far.

Any hint about what can be this file and how did it arrive to my home directory?

Thanks a lot
Eneko

Hi enlar,

Welcome to Ubuntuforums! :^)

"a.out" file is sometimes default output file created by some compilers when no output file name is specified. Please refer the below link for more info.

http://en.wikipedia.org/wiki/A.out

Hi codemaniac,

Thanks for the welcome!

I know about the a.out name, but I haven't compiled anything lately and much less bash. I'm afraid it can be a backdoor or maybe something generated/installed by a package?

Cheers

Hi all,

Today I noticed an a.out executable file in my user home directory. I checked it with ghex and has bash strings. Size is a bit less than /bin/bash and buildId as reported by 'file' is the same for both files.

File date is 2013-01-23, and I'm sure I haven't compiled bash in this machine ever :)

dpkg -S a.out only reports header files

I have ubuntu 12.04 updated with the latest security updates.

I uploaded the file to virustotal.com with no detections so far.

Any hint about what can be this file and how did it arrive to my home directory?

Thanks a lot
Eneko

Are you sure the file "a.out" is an executable file?

If yes,

(1) did you run it? If yes, what is the result? Any display?
(2) did you update your box to the latest status?
(3) please check the system if there is any suspicious outbound or inbound connections?

Good luck.

Samiux

Hi samiux,

file a.out:
a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xf199a4a89ac968c2e0e99f2410600b9d7e995187, not stripped

ldd a.out:
Inconsistency detected by ld.so: dl-lookup.c: 876: _dl_setup_hash: Assertion `(bitmask_nwords & (bitmask_nwords - 1)) == 0' failed!
ldd: exited with unknown exit code (127)

I'm not willing to try to exec a file which I consider suspicious sorry :) That's why I checked strings with ghex.

I updated my box with latest updates this morning (2 hours ago).

No suspicious connections:

netstat -a -t -n -p :
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3131/dnsmasq
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1556/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 566/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 929/cupsd
tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 3910/twinkle
tcp 0 0 0.0.0.0:47589 0.0.0.0:* LISTEN 1000/rpc.statd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1255/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 964/rpcbind
tcp 0 0 192.168.1.174:45731 173.194.78.125:443 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:45733 173.194.78.125:443 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:41604 173.194.78.125:5222 ESTABLISHED 3471/pidgin
tcp 1 0 192.168.1.174:42618 91.189.94.25:80 CLOSE_WAIT 3435/ubuntu-geoip-p
tcp 0 0 192.168.1.174:42105 157.56.192.50:1863 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:37513 173.194.34.230:80 ESTABLISHED 3481/firefox
tcp 0 0 192.168.1.174:37449 173.194.34.231:80 ESTABLISHED 3481/firefox
tcp 0 0 192.168.1.174:50812 173.194.66.109:993 ESTABLISHED 14634/evolution
tcp6 0 0 :::22 :::* LISTEN 566/sshd
tcp6 0 0 ::1:631 :::* LISTEN 929/cupsd
tcp6 0 0 :::111 :::* LISTEN 964/rpcbind
tcp6 0 0 :::51152 :::* LISTEN 1000/rpc.statd


Thanks a lot!

Hi samiux,

file a.out:
a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xf199a4a89ac968c2e0e99f2410600b9d7e995187, not stripped

ldd a.out:
Inconsistency detected by ld.so: dl-lookup.c: 876: _dl_setup_hash: Assertion `(bitmask_nwords & (bitmask_nwords - 1)) == 0' failed!
ldd: exited with unknown exit code (127)

I'm not willing to try to exec a file which I consider suspicious sorry :) That's why I checked strings with ghex.

I updated my box with latest updates this morning (2 hours ago).

No suspicious connections:

netstat -a -t -n -p :
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3131/dnsmasq
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1556/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 566/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 929/cupsd
tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 3910/twinkle
tcp 0 0 0.0.0.0:47589 0.0.0.0:* LISTEN 1000/rpc.statd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1255/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 964/rpcbind
tcp 0 0 192.168.1.174:45731 173.194.78.125:443 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:45733 173.194.78.125:443 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:41604 173.194.78.125:5222 ESTABLISHED 3471/pidgin
tcp 1 0 192.168.1.174:42618 91.189.94.25:80 CLOSE_WAIT 3435/ubuntu-geoip-p
tcp 0 0 192.168.1.174:42105 157.56.192.50:1863 ESTABLISHED 3471/pidgin
tcp 0 0 192.168.1.174:37513 173.194.34.230:80 ESTABLISHED 3481/firefox
tcp 0 0 192.168.1.174:37449 173.194.34.231:80 ESTABLISHED 3481/firefox
tcp 0 0 192.168.1.174:50812 173.194.66.109:993 ESTABLISHED 14634/evolution
tcp6 0 0 :::22 :::* LISTEN 566/sshd
tcp6 0 0 ::1:631 :::* LISTEN 929/cupsd
tcp6 0 0 :::111 :::* LISTEN 964/rpcbind
tcp6 0 0 :::51152 :::* LISTEN 1000/rpc.statd


Thanks a lot!

Hi enlar,

the a.out is a suspicious file.

It is indicated that your box is compromised once at least. The attacker want to escalate privilege to root. Maybe he is unsucessfully to do so.

Please check the other applications if it has vulnerability or not.

Good luck.

Samiux

Thanks Samiux

Thanks Samiux

Can you send the file "a.out" to me for analysis? If yes, please compress it.

Samiux

Can you send the file "a.out" to me for analysis? If yes, please compress it.

Samiux

Here you are. I checked my system with debsums and everything seems ok.

I did not found references to a.out in /etc either.

Thanks a lot

Here you are. I checked my system with debsums and everything seems ok.

I did not found references to a.out in /etc either.

Thanks a lot

Thanks.

Do you know you box kernel is 2.6.24 or not (before update/upgrade)? Any other file can you found? Your box is 32-bit or 64-bit system?

Samiux

Now it's
Linux enlar 3.2.0-36-generic #57-Ubuntu SMP Tue Jan 8 21:41:24 UTC 2013 i686 i686 i386 GNU/Linux

Before, it was latest 10.04 kernel. The box was upgraded some months ago.

System /bin/bash references the same kernel.

Now it's
Linux enlar 3.2.0-36-generic #57-Ubuntu SMP Tue Jan 8 21:41:24 UTC 2013 i686 i686 i386 GNU/Linux

Before, it was latest 10.04 kernel. The box was upgraded some months ago.

System /bin/bash references the same kernel.

Got it.

The previous kernel 10.04 is 2.6.x which is vulnerability to something for sometimes. However, Ubuntu patched the kernel and it is no more vulnerable for the Ubuntu 10.04 (for the latest version).

However, the attacker went into you box successfully. That mean, you have an application (at least) is vulnerable. Please make sure all the applications are patched or upgraded, including the applications that you are compiled yourself.

As the file "a.out" is looking for some share object files, you may find some such files at your directory. If so, please also forward to me for analysis.

I am sure that your box has been compromised once (at least) at the kernel verson of 2.6.x.

Furthermore, make sure there is no extra account in /etc/passwd and /etc/shadow.

Edit :

The suspect maybe Pidgin --> from exploit-db (http://www.exploit-db.com/exploits/11203/)

Samiux

Hi Samiux,

There are no self-compiled apps in this box. I regularly update the system when the pop-up shows up.

How did you check a.out shared object files? Ldd won't return meaningfull data. There are no shared object files in my home directory.

I checked accounts and they seem all good. Only two accounts have password and they're legit. All other users have * o ! .

Thanks

Hi Samiux,

There are no self-compiled apps in this box. I regularly update the system when the pop-up shows up.

How did you check a.out shared object files? Ldd won't return meaningfull data. There are no shared object files in my home directory.

I checked accounts and they seem all good. Only two accounts have password and they're legit. All other users have * o ! .

Thanks

Okay, you box is in good condition now. Don't worry. Even the attacker went into your box but it seemed that s/he cannot got the root priv. Since your box has been upgraded to 12.04 or so, the problem maybe gone. Don't worry.

Samiux

Thanks a lot for your help Samiux!

Thanks a lot for your help Samiux!

You are welcome.

I suggest you to use Apparmor for Pidgin and Firefox or which application that will connect to the internet.

Samiux