[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [opensuse-security] gmonstart / jvregisterclasses in tons of
From:       Karsten_Künne <karsten.kuenne () gmail ! com>
Date:       2009-12-17 15:11:53
Message-ID: c84ad4430912170711t2441099ekb41a1d7ab2fa34c2 () mail ! gmail ! com
[Download RAW message or body]

On Wed, Dec 16, 2009 at 9:28 PM,
<whereislibertyandjustice@safe-mail.net> wrote:
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
>
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses
>
> Followed by commands which differ within each binary.
>
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
> include the above two strings followed by commands, after I run an update
> the updated binaries suddenly contain the above two strings and other, what
> I believe to be, rogue strings. I've avoided the possible infection with an
> OpenBSD install, yet all the Linux installations and burned ISOs contain
> binaries with the above two strings followed by commands.
>
> Search using find within your bin and sbin directories for those two strings
> and see how many positives you find. Now use a text editor like vi or gedit
> and search through the gibberish, locate these strings and isolate the
> commands, if any, which follow them. Searching for gmonstart, gmon,
> registerclasses, jv, etc. variations of works. If you find results in your
> binaries, please copy/paste the commands following the gmonstart and
> jvregisterclasses strings so I may compare them to mine.
>
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
> different physical locations and found some CDs contained these strings
> in the binaries and one or two rare ones did not, but when installed/updated
> on a network connection the binaries replaced in the update process would
> show these strings!! These strings are not alone by themselves in the
> binaries they follow with commands with a @ mark before each command.
>
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
>
> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?

Would you please stop posting this nonsense to all mailing lists? I
already found it on gentoo-security, debian-security, ubuntu-users and
others. This was explained on other mailing lists and I won't repeat
it again. It's a non-issue!

BTW, what kind of stupid nick is that anyway? Doesn't
opensuse-security have a realname policy?

kk
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security+help@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]