LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-14-2007, 03:48 AM   #16
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976

Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
 
Old 11-14-2007, 04:19 AM   #17
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Quote:
You see... I doubt that these files
Code:

/bin/mv
/bin/mv.2
/bin/mv.orig

have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!

Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.

Last edited by jschiwal; 11-14-2007 at 04:20 AM.
 
Old 11-14-2007, 07:24 AM   #18
George2
Member
 
Registered: Oct 2003
Posts: 354

Original Poster
Rep: Reputation: 30
Thanks colucix,


I am always happy to learn from you experienced guys to determine the root cause of this issue.

I am the current admin of this machine, but it is not me who installed the system before. It is a new machine which is transferred to me.

Here is the content of /bin/mv, please feel free to let me know if you need more information to determine the root cause of why mv with filename containing space character is not working.

If you find the root cause, please also share with us here. :-)

more /bin/mv
echo "============================================================" >> /var/log/sysmon/sys.log
date >> /var/log/sysmon/sys.log
echo "user: $USER" >> /var/log/sysmon/sys.log
echo "Command: $PWD/mv $*" >> /var/log/sysmon/sys.log
echo "PID: $$" >> /var/log/sysmon/sys.log
echo >> /var/log/sysmon/sys.log
ps -f -p $$ >> /var/log/sysmon/sys.log

mv.orig $*

echo >> /var/log/sysmon/sys.log

Quote:
Originally Posted by colucix View Post
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!

regards,
George
 
Old 11-14-2007, 07:27 AM   #19
George2
Member
 
Registered: Oct 2003
Posts: 354

Original Poster
Rep: Reputation: 30
Hi jschiwal,


Good imagination of the intent of the file and how hacker thinks -- seems you were hacker before? :-)

It is appreciated if you could provide some ideas of how to determine the root cause of this issue, why mv is not working with file name with space character.

Quote:
Originally Posted by jschiwal View Post
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!

Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.

regards,
George
 
Old 11-14-2007, 08:53 AM   #20
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440

UID        PID  PPID  C STIME TTY          TIME CMD
colucix  21440 21290  0 14:35 pts/4    00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.

If you decide to keep things are they are, you can edit the file /bin/mv and change the line
Code:
mv.orig $*
into
Code:
mv.orig "$@"
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.

You also can check the other commands that have been changed from the original installation of coreutils:
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
At this point the mystery is almost solved!

Last edited by colucix; 11-14-2007 at 08:59 AM.
 
Old 11-14-2007, 08:58 AM   #21
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
Quote:
Originally Posted by jschiwal View Post
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
jschiwal, you are definitively right!
 
Old 11-14-2007, 09:39 AM   #22
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
Code:
more /bin/mv
echo "============================================================" >> /var/log/sysmon/sys.log
date >> /var/log/sysmon/sys.log
echo "user: $USER" >> /var/log/sysmon/sys.log
echo "Command: $PWD/mv $*" >> /var/log/sysmon/sys.log
echo "PID: $$" >> /var/log/sysmon/sys.log
echo >> /var/log/sysmon/sys.log
ps -f -p $$ >> /var/log/sysmon/sys.log

mv.orig $*

echo >> /var/log/sysmon/sys.log
Okay
Every mv you do, it will append stuffs in /var/log/sysmon/sys.log, which means that any user has to have write access to this file

That's what I often do to track which process is playing with my wireless, replace iwconfig, ifconfig binaries by shells.


But "patching" mv is a bit overkill. I would remove mv and rename mv.orig to mv.
And then, how many other tools have been patched this way..

Now for the important part, can you check this:

Code:
ls -la /var/log/sysmon/sys.log
ls -lad /var/log/sysmon
Depending on the results, your box can be fully 0wned with 2 simple commands.
 
Old 11-14-2007, 01:12 PM   #23
otheus
LQ Newbie
 
Registered: Jun 2006
Location: Austria
Distribution: RHEL AS 4
Posts: 25

Rep: Reputation: 16
<removed due to redundancy>

Last edited by otheus; 11-14-2007 at 01:15 PM.
 
Old 11-14-2007, 04:12 PM   #24
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Yes, the script logs information about every mv command. That would make it easier reverse mistakes.

Quote:
mv.orig "$@"
I ran a test program to test whether this was right:
Code:
cat >test
echo "$@"
echo "$1" "$2"
./showargs "$*"
./showargs "$@"
[jschiwal@delllap ~]$ cat >showargs
echo ":$1:$2:$3:$4:"
[jschiwal@delllap ~]$ chmod +x test showargs
[jschiwal@delllap ~]$ ./test abc d\ e fgh
abc d e fgh
abc d e
:abc d e fgh::::
:abc:d e:fgh::
I was afraid embedded whitespace might cause a problem but I was wrong. Passing "$@" will work.

And, no, I was never a hacker. I just read on what to look out for. Recompiling basic commands on the system is one thing in their bag of tricks.
 
Old 11-14-2007, 11:55 PM   #25
George2
Member
 
Registered: Oct 2003
Posts: 354

Original Poster
Rep: Reputation: 30
Thanks colucix,


I have read the book you mentioned,

Here is the related description, and I have also tried that your solution works. But I am still confused what is the differences between $* and $@ after reading the book.

For $*, the book says, seen as a single word, and for $@ the book says each parameter is a quoted string, that is, the parameters are passed on intact. Looks like $* and $@ are the same, right?

--------------------

$*
All of the positional parameters, seen as a single word

$@
Same as $*, but each parameter is a quoted string, that is, the parameters are passed on intact, without interpretation or expansion. This means, among other things, that each parameter in the argument list is seen as a separate word.

--------------------

Quote:
Originally Posted by colucix View Post
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440

UID        PID  PPID  C STIME TTY          TIME CMD
colucix  21440 21290  0 14:35 pts/4    00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.

If you decide to keep things are they are, you can edit the file /bin/mv and change the line
Code:
mv.orig $*
into
Code:
mv.orig "$@"
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.

You also can check the other commands that have been changed from the original installation of coreutils:
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
At this point the mystery is almost solved!

regards,
George
 
Old 11-14-2007, 11:58 PM   #26
George2
Member
 
Registered: Oct 2003
Posts: 354

Original Poster
Rep: Reputation: 30
Thanks jschiwal,


I have tried $@ works. But after reading the advanced Bash-Scripting guide section 9.1, I am still confused. What is the differences between $@ and $* (after reading the book, I can not tell the exact differences)? Could you see my post in #25 and comment please?

Quote:
Originally Posted by jschiwal View Post
Yes, the script logs information about every mv command. That would make it easier reverse mistakes.


I ran a test program to test whether this was right:
Code:
cat >test
echo "$@"
echo "$1" "$2"
./showargs "$*"
./showargs "$@"
[jschiwal@delllap ~]$ cat >showargs
echo ":$1:$2:$3:$4:"
[jschiwal@delllap ~]$ chmod +x test showargs
[jschiwal@delllap ~]$ ./test abc d\ e fgh
abc d e fgh
abc d e
:abc d e fgh::::
:abc:d e:fgh::
I was afraid embedded whitespace might cause a problem but I was wrong. Passing "$@" will work.

And, no, I was never a hacker. I just read on what to look out for. Recompiling basic commands on the system is one thing in their bag of tricks.

regards,
George
 
Old 11-17-2007, 10:41 PM   #27
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Suppose you have the arguments: a b "c d" "d e f".

"$@" will have 4 arguments: a, b, c d, d e f
$* will split them up into 7 separate arguments, while "$*" will join them into one argument with 7 letters and 6 spaces.
I'll use the "set" command to demonstrate. Enter "set <arguments>" will set the current shell arguments, so you can test things out interactively instead of having to write a script and calling it.

Code:
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> set "$@"
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g

jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set $*
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c
jschiwal@hpamd64:~> echo $4
d
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what is the Linux command line character for a blank space? Peter Shepard Red Hat 3 06-21-2006 07:25 PM
incorrect character for the log file treotan Red Hat 1 12-05-2005 10:21 PM
windows space character equivalent powereds Linux - Networking 3 07-06-2005 06:06 AM
Check to see if a file has a certain character in it krock923 Programming 2 11-25-2004 04:30 PM
end of file character hyperriven Programming 2 04-08-2004 12:09 AM


All times are GMT -5. The time now is 12:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration