<div dir="ltr">Don't run ldd on a binary you don't trust [1]. I think the safer way is objdump -p a.out | grep NEEDED.<div><br></div><div>Did you try "strings" to see what's in there? "nm" and "objdump" might give some more info on the method names especially since it's been stripped.</div><div><br></div><div>Also, just for kicks, do an "lsof | grep deleted" to see if any processes have some old files open that you can grab out of proc that the exploit tried to delete but was held open.</div><div><br></div><div><div>[1] <a href="http://www.catonmat.net/blog/ldd-arbitrary-code-execution/">http://www.catonmat.net/blog/ldd-arbitrary-code-execution/</a></div></div><div><br></div><div><br></div><div>Sean</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 5, 2015 at 5:56 PM, Adam Thompson <span dir="ltr"><<a href="mailto:athompso@athompso.net" target="_blank">athompso@athompso.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>1) Run it on a 32-bit livecd<br>
2) ldd(1)<br>
Otherwise, look at the elftools (or something like that) package to get more info about the binary.<br>
Don't you run all your systems with selinux?<br>
-Adam<br><br><div class="gmail_quote"><span class="">On January 5, 2015 5:33:35 PM CST, Trevor Cordes <<a href="mailto:trevor@tecnopolis.ca" target="_blank">trevor@tecnopolis.ca</a>> wrote:</span><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<pre><span class="">Uh oh. Finding an a.out in your /var/log/httpd doesn't instill<br>a warm fuzzy feeling.<br><br>I have ~ 4k a.out there dated Oct 12, which unfortunately is just past<br>my logrotate cutoff now, so I can't check access.log (drat) without<br>hitting the (hard to hit) backups.<br><br>file a.out <br>a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),<br>dynamically linked (uses shared libs), not stripped<br><br>I fired up a live-cd linux with no disks or net attached to try to run<br>it (I put it on a usb stick). But when I do *the shell* returns ENOENT<br>and won't run. I tried ./a.out. I tried moving it to a fs that<br>shouldn't be mounted noexec. I tried strace a.out and strace ./a.out<br>and strace shows only the exec attempt and the error print and quit.<br><br>Huh? How can I get this thing to run?<br><br>Anyway to see what it is doing? Disassemble? It is not stripped, so<br></span>gdb? How can I ste!
p-run it
from the start (ie nothing executes until I<span class=""><br>step)?<br><br>What else to do with this file?<br><br>I'll see if I can dig up the access.log from that date and get more<br>details.<br><hr><br></span><span class="">Roundtable mailing list<br><a href="mailto:Roundtable@muug.mb.ca" target="_blank">Roundtable@muug.mb.ca</a><br><a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br></span></pre></blockquote></div><span class="HOEnZb"><font color="#888888"><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</font></span></div><br>_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a></div>
</div>