LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   suspicious a.out file in home directory (http://www.linuxquestions.org/questions/slackware-14/suspicious-a-out-file-in-home-directory-4175493269/)

dederon 01-31-2014 10:40 AM

suspicious a.out file in home directory
 
hi folks,

from time to time an a.out file appears in my home directory of my slackware64 14.1 box.The owner of this file is my user account. I feel unconfortable about it and want to ask if anyone knows whats going on here. You can find the gzipped file here:

http://laokoon.in-berlin.de/~heiko/a.out.gz

I checked my system with rkhunter - no errors. If you need more informations let me know.

regards,

heiko

moisespedro 01-31-2014 10:43 AM

It happened with me too, I had to remove it like twice and then it never came back again.

stormtracknole 01-31-2014 10:44 AM

Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?

dederon 01-31-2014 10:55 AM

Thanks for the replies.

Quote:

Originally Posted by stormtracknole (Post 5108754)
Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?

I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.

schneidz 01-31-2014 11:05 AM

this doesnt reveal much:
Code:

[schneidz@hyper ~]$ file a.out
a.out: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped
[schneidz@hyper ~]$ strings a.out
.symtab
.strtab
.shstrtab
.text
.data
.bss
[schneidz@hyper ~]$

has anyone run it on something like a live-usb ?

55020 01-31-2014 11:16 AM

It's about as empty as a correctly-formatted ELF file can be. All those sections are empty and define no symbols. It's only "suspicious" for small values of "suspicious" ;)
Code:

$ readelf -a a.out
ELF Header:
  Magic:  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                            ELF64
  Data:                              2's complement, little endian
  Version:                          1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                      0
  Type:                              REL (Relocatable file)
  Machine:                          Advanced Micro Devices X86-64
  Version:                          0x1
  Entry point address:              0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          112 (bytes into file)
  Flags:                            0x0
  Size of this header:              64 (bytes)
  Size of program headers:          0 (bytes)
  Number of program headers:        0
  Size of section headers:          64 (bytes)
  Number of section headers:        7
  Section header string table index: 4

Section Headers:
  [Nr] Name              Type            Address          Offset
      Size              EntSize          Flags  Link  Info  Align
  [ 0]                  NULL            0000000000000000  00000000
      0000000000000000  0000000000000000          0    0    0
  [ 1] .text            PROGBITS        0000000000000000  00000040
      0000000000000000  0000000000000000  AX      0    0    4
  [ 2] .data            PROGBITS        0000000000000000  00000040
      0000000000000000  0000000000000000  WA      0    0    4
  [ 3] .bss              NOBITS          0000000000000000  00000040
      0000000000000000  0000000000000000  WA      0    0    4
  [ 4] .shstrtab        STRTAB          0000000000000000  00000040
      000000000000002c  0000000000000000          0    0    1
  [ 5] .symtab          SYMTAB          0000000000000000  00000230
      0000000000000060  0000000000000018          6    4    8
  [ 6] .strtab          STRTAB          0000000000000000  00000290
      0000000000000001  0000000000000000          0    0    1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), l (large)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

There are no program headers in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.

Symbol table '.symtab' contains 4 entries:
  Num:    Value          Size Type    Bind  Vis      Ndx Name
    0: 0000000000000000    0 NOTYPE  LOCAL  DEFAULT  UND
    1: 0000000000000000    0 SECTION LOCAL  DEFAULT    1
    2: 0000000000000000    0 SECTION LOCAL  DEFAULT    2
    3: 0000000000000000    0 SECTION LOCAL  DEFAULT    3

No version information found in this file.
$

Perhaps some makefile you're running is a bit broken, or maybe you have a bash alias or script that runs some 'cc' or 'ld' command that is being run accidentally?

stormtracknole 01-31-2014 11:33 AM

Quote:

Originally Posted by dederon (Post 5108763)
Thanks for the replies.



I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.

I've seen this happen to me before from time to time, but I never figured out what caused it. I am curious to see if you get to the source of this.

Darth Vader 01-31-2014 11:53 AM

Quick analyzing this little program with a decompiler, I discovered that it do NOTHING.

A good aproximate of its source code is:

Code:

int main() {
  return 0;
}

That glorious in-utility make me to believe that it is just some remain of a past compilation. More precise, I believe, somewhere, time ago, a configure script tried to see if gcc can create a a.out executable, then failed to properly clean its own dirty...

That's all guys, we can move along. :hattip:

dederon 02-01-2014 04:20 AM

thanks for all your help, i did even learn some things by reading your replies. great.

even though the program won't do any harm to my system i am still worried, as i don't know where this program comes from. i keep an eye on it. thank you.

dederon 02-02-2014 06:24 AM

ok, again a found an a.out file in my home directory. i set up a script to watch this directory and, if a.out pops up again, log some data and make some noise:
Code:

#!/bin/bash
echo "this program needs xterm!"
xset b on
while inotifywait -e create $HOME; do
        if ls $HOME/a.out > /dev/null; then
                date >> log
                echo "---------------" >> log
                /bin/netstat -atp >> log
                echo "---------------" >> log
                /usr/bin/ps axww >> log
                echo "---------------" >> log
                while true; do
                        echo -ne '\007'
                        /usr/bin/sleep 2
                done
        fi
done

any more ideas what i could do or what kind of system information i should add for logging?

stormtracknole 02-02-2014 09:20 AM

I shot in the dark here. What does:
Code:

lsof | grep -i a.out
shows?

---------- Post added 02-02-14 at 09:21 AM ----------

Perhaps incorporate that into your script to see if it can catch it in the act.

NoStressHQ 02-02-2014 10:24 AM

In the same idea as stormtracknole, a way to track this kind of things would be to write a gcc/g++ hook in bash, to log any call to the compiler...
This hook could even "break" or notify in real time whenever a "a.out" is being built (or a call without '-o' flag).

Cheers

Garry.

dederon 02-03-2014 08:16 AM

Quote:

Originally Posted by stormtracknole (Post 5109675)
IPerhaps incorporate that into your script to see if it can catch it in the act.

in the first version of my script i logged the output of
Code:

fuser $HOME/a.out
, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.

stormtracknole 02-03-2014 08:28 AM

Quote:

Originally Posted by dederon (Post 5110340)
in the first version of my script i logged the output of
Code:

fuser $HOME/a.out
, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.

Great! Keep us updated if you can.

brianL 02-03-2014 08:32 AM

Looks like something has been testing the compiler, like the test at the end of version-check.sh from LFS:
Code:

echo 'main(){}' > dummy.c && g++ -o dummy dummy.c
if [ -x dummy ]
  then echo "g++ compilation OK";
  else echo "g++ compilation failed"; fi
rm -f dummy.c dummy



All times are GMT -5. The time now is 03:02 PM.