Re: 2.4.18 fork & defunct child => system is hacked

From: Frank van Maarseveen
Date: Tue Nov 18 2003 - 05:41:06 EST

Next message: Paul Mackerras: "[PATCH] PPC64: implement sched_clock properly"
Previous message: Eckhard Jokisch: "Hard lockup with reiserfs in 2.4.22 an2.4.20"
In reply to: Maciej Zenczykowski: "Re: 2.4.18 fork & defunct child."
Next in thread: Keith Whyte: "Re: 2.4.18 fork & defunct child => system is hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 17, 2003 at 06:26:00PM -0600, Keith Whyte wrote:
>
> { strace listing deleted, see
> http://marc.theaimsgroup.com/?l=linux-kernel&m=106905386725308&w=2 }

First of all, /bin/true doing a fork() basically means you've
been hacked: there should not be any such code in there. The
open("/proc/17904///////////exe" is anouther piece of clear evidence
that your system has been hacked.

Why the additional slashes?

I suspect a library/or LD_PRELOAD hack which simply encodes the getpid()
return value in decimal notation and stores it right into a static
buffer containing

"/proc//////////////////exe"

because it can't use sprintf at that point for some reason (maybe
just because it is a library/LD_PRELOAD hack).

--
Frank
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Mackerras: "[PATCH] PPC64: implement sched_clock properly"
Previous message: Eckhard Jokisch: "Hard lockup with reiserfs in 2.4.22 an2.4.20"
In reply to: Maciej Zenczykowski: "Re: 2.4.18 fork & defunct child."
Next in thread: Keith Whyte: "Re: 2.4.18 fork & defunct child => system is hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]