[opensuse] gmonstart / jvregisterclasses in tons of binaries with commands,malware?
In linux binaries, in any linux distro, I've discovered the same strings which I believe may be due to a virus or trojan. Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. Whether I run 'strings' on the binary files or view with vim or gedit, here is what is always seen inside the binaries: __gmon_start__ _Jv_RegisterClasses Followed by commands which differ within each binary. If, by some luck, I've downloaded a fresh Linux ISO where binaries do not include the above two strings followed by commands, after I run an update the updated binaries suddenly contain the above two strings and other, what I believe to be, rogue strings. I've avoided the possible infection with an OpenBSD install, yet all the Linux installations and burned ISOs contain binaries with the above two strings followed by commands. Search using find within your bin and sbin directories for those two strings and see how many positives you find. Now use a text editor like vi or gedit and search through the gibberish, locate these strings and isolate the commands, if any, which follow them. Searching for gmonstart, gmon, registerclasses, jv, etc. variations of works. If you find results in your binaries, please copy/paste the commands following the gmonstart and jvregisterclasses strings so I may compare them to mine. I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from different physical locations and found some CDs contained these strings in the binaries and one or two rare ones did not, but when installed/updated on a network connection the binaries replaced in the update process would show these strings!! These strings are not alone by themselves in the binaries they follow with commands with a @ mark before each command. Google results are vague, some suggest shell backdoors, every Linux user I've asked to date calls me paranoid while at the same time this knowledge comes as a surprise to them, too, when they search their binaries and find the same strings. I'm amazed by how quickly some rush to judgement and call you a paranoid for being curious about the files on your system. The strings may/may not be common, but in comparing commands which follow these strings I've noticed some which seem down right malicious! Maybe they're right, I'm just paranoid, but what am I seeing and why are these strings so common across Linux distros binaries, esp. the Jv (java?) reference? Please, any help? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
whereislibertyandjustice@Safe-mail.net said the following on 12/16/2009 09:29 PM:
Maybe they're right, I'm just paranoid, but what am I seeing and why are these strings so common across Linux distros binaries, esp. the Jv (java?) reference? Please, any help?
No, you're not paranoid. You're just unaware of how Linux dynamic runtime linking works. Look it up. Look at the command 'ldd' and the manual page for ld.so, ld-linux.so* - the dynamic linker/loader A few lines above the __gmon_start__ _Jv_RegisterClasses you will see /lib/ld-linux.so.2 which gives the game away. As the man page says this is followed by options and arguments. The options are the files to link to dynamically and the entry points. This is not some malware, its the basic internals. I'll leave it to you to read the man page and do some googling. Please, that thing in my chest with strands running all through my body is not an invading Alien creature, like the one in the movie; its my heart and blood vessels! -- The price of liberty is eternal vigilance. --Thomas Jefferson -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Anton Aylward
-
whereislibertyandjustice@Safe-mail.net