LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-31-2014, 10:40 AM   #1
dederon
Member
 
Registered: Oct 2013
Posts: 31

Rep: Reputation: Disabled
suspicious a.out file in home directory


hi folks,

from time to time an a.out file appears in my home directory of my slackware64 14.1 box.The owner of this file is my user account. I feel unconfortable about it and want to ask if anyone knows whats going on here. You can find the gzipped file here:

http://laokoon.in-berlin.de/~heiko/a.out.gz

I checked my system with rkhunter - no errors. If you need more informations let me know.

regards,

heiko
 
Old 01-31-2014, 10:43 AM   #2
moisespedro
Member
 
Registered: Nov 2013
Distribution: Slackware
Posts: 749

Rep: Reputation: 77
It happened with me too, I had to remove it like twice and then it never came back again.
 
Old 01-31-2014, 10:44 AM   #3
stormtracknole
Member
 
Registered: Aug 2005
Location: The Big Easy
Distribution: Slackware, RHEL
Posts: 808

Rep: Reputation: 104Reputation: 104
Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?
 
Old 01-31-2014, 10:55 AM   #4
dederon
Member
 
Registered: Oct 2013
Posts: 31

Original Poster
Rep: Reputation: Disabled
Thanks for the replies.

Quote:
Originally Posted by stormtracknole View Post
Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?
I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.
 
Old 01-31-2014, 11:05 AM   #5
schneidz
Senior Member
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-19-live-usb/ aix
Posts: 3,836

Rep: Reputation: 590Reputation: 590Reputation: 590Reputation: 590Reputation: 590Reputation: 590
this doesnt reveal much:
Code:
[schneidz@hyper ~]$ file a.out 
a.out: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped
[schneidz@hyper ~]$ strings a.out 
.symtab
.strtab
.shstrtab
.text
.data
.bss
[schneidz@hyper ~]$
has anyone run it on something like a live-usb ?

Last edited by schneidz; 01-31-2014 at 11:09 AM.
 
Old 01-31-2014, 11:16 AM   #6
55020
Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 311
Blog Entries: 4

Rep: Reputation: 295Reputation: 295Reputation: 295
It's about as empty as a correctly-formatted ELF file can be. All those sections are empty and define no symbols. It's only "suspicious" for small values of "suspicious"
Code:
$ readelf -a a.out 
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          112 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           64 (bytes)
  Number of section headers:         7
  Section header string table index: 4

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .text             PROGBITS         0000000000000000  00000040
       0000000000000000  0000000000000000  AX       0     0     4
  [ 2] .data             PROGBITS         0000000000000000  00000040
       0000000000000000  0000000000000000  WA       0     0     4
  [ 3] .bss              NOBITS           0000000000000000  00000040
       0000000000000000  0000000000000000  WA       0     0     4
  [ 4] .shstrtab         STRTAB           0000000000000000  00000040
       000000000000002c  0000000000000000           0     0     1
  [ 5] .symtab           SYMTAB           0000000000000000  00000230
       0000000000000060  0000000000000018           6     4     8
  [ 6] .strtab           STRTAB           0000000000000000  00000290
       0000000000000001  0000000000000000           0     0     1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), l (large)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

There are no program headers in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.

Symbol table '.symtab' contains 4 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 0000000000000000     0 SECTION LOCAL  DEFAULT    1 
     2: 0000000000000000     0 SECTION LOCAL  DEFAULT    2 
     3: 0000000000000000     0 SECTION LOCAL  DEFAULT    3 

No version information found in this file.
$
Perhaps some makefile you're running is a bit broken, or maybe you have a bash alias or script that runs some 'cc' or 'ld' command that is being run accidentally?
 
1 members found this post helpful.
Old 01-31-2014, 11:33 AM   #7
stormtracknole
Member
 
Registered: Aug 2005
Location: The Big Easy
Distribution: Slackware, RHEL
Posts: 808

Rep: Reputation: 104Reputation: 104
Quote:
Originally Posted by dederon View Post
Thanks for the replies.



I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.
I've seen this happen to me before from time to time, but I never figured out what caused it. I am curious to see if you get to the source of this.
 
Old 01-31-2014, 11:53 AM   #8
Darth Vader
Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 593

Rep: Reputation: 108Reputation: 108
Quick analyzing this little program with a decompiler, I discovered that it do NOTHING.

A good aproximate of its source code is:

Code:
int main() {
  return 0;
}
That glorious in-utility make me to believe that it is just some remain of a past compilation. More precise, I believe, somewhere, time ago, a configure script tried to see if gcc can create a a.out executable, then failed to properly clean its own dirty...

That's all guys, we can move along.

Last edited by Darth Vader; 01-31-2014 at 11:59 AM.
 
1 members found this post helpful.
Old 02-01-2014, 04:20 AM   #9
dederon
Member
 
Registered: Oct 2013
Posts: 31

Original Poster
Rep: Reputation: Disabled
thanks for all your help, i did even learn some things by reading your replies. great.

even though the program won't do any harm to my system i am still worried, as i don't know where this program comes from. i keep an eye on it. thank you.
 
Old 02-02-2014, 06:24 AM   #10
dederon
Member
 
Registered: Oct 2013
Posts: 31

Original Poster
Rep: Reputation: Disabled
ok, again a found an a.out file in my home directory. i set up a script to watch this directory and, if a.out pops up again, log some data and make some noise:
Code:
#!/bin/bash
echo "this program needs xterm!"
xset b on
while inotifywait -e create $HOME; do
        if ls $HOME/a.out > /dev/null; then
                date >> log
                echo "---------------" >> log
                /bin/netstat -atp >> log
                echo "---------------" >> log
                /usr/bin/ps axww >> log
                echo "---------------" >> log
                while true; do
                        echo -ne '\007'
                        /usr/bin/sleep 2
                done
        fi
done
any more ideas what i could do or what kind of system information i should add for logging?

Last edited by dederon; 02-02-2014 at 06:25 AM.
 
Old 02-02-2014, 09:20 AM   #11
stormtracknole
Member
 
Registered: Aug 2005
Location: The Big Easy
Distribution: Slackware, RHEL
Posts: 808

Rep: Reputation: 104Reputation: 104
I shot in the dark here. What does:
Code:
lsof | grep -i a.out
shows?

---------- Post added 02-02-14 at 09:21 AM ----------

Perhaps incorporate that into your script to see if it can catch it in the act.
 
Old 02-02-2014, 10:24 AM   #12
NoStressHQ
Member
 
Registered: Apr 2010
Location: Lausanne - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware Leet - 32/64bit
Posts: 271

Rep: Reputation: 87
In the same idea as stormtracknole, a way to track this kind of things would be to write a gcc/g++ hook in bash, to log any call to the compiler...
This hook could even "break" or notify in real time whenever a "a.out" is being built (or a call without '-o' flag).

Cheers

Garry.
 
Old 02-03-2014, 08:16 AM   #13
dederon
Member
 
Registered: Oct 2013
Posts: 31

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by stormtracknole View Post
IPerhaps incorporate that into your script to see if it can catch it in the act.
in the first version of my script i logged the output of
Code:
fuser $HOME/a.out
, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.
 
Old 02-03-2014, 08:28 AM   #14
stormtracknole
Member
 
Registered: Aug 2005
Location: The Big Easy
Distribution: Slackware, RHEL
Posts: 808

Rep: Reputation: 104Reputation: 104
Quote:
Originally Posted by dederon View Post
in the first version of my script i logged the output of
Code:
fuser $HOME/a.out
, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.
Great! Keep us updated if you can.
 
Old 02-03-2014, 08:32 AM   #15
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 6,895
Blog Entries: 51

Rep: Reputation: Disabled
Looks like something has been testing the compiler, like the test at the end of version-check.sh from LFS:
Code:
echo 'main(){}' > dummy.c && g++ -o dummy dummy.c
if [ -x dummy ]
  then echo "g++ compilation OK";
  else echo "g++ compilation failed"; fi
rm -f dummy.c dummy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] NIS Client error: Could not chdir to home directory /home/chacha: No such file or dir gauravgoel1989 Linux - Server 8 09-20-2013 04:42 PM
su:warning: cannot change directory to home/orausr: No such file or directory cdhar Linux - Newbie 4 09-11-2012 06:17 AM
Trace Route From Home Showing Suspicious Hop Just Outside LAN QuantumDot Linux - Security 5 03-16-2011 07:00 AM
fopen a file in home directory Four Programming 2 04-07-2007 04:52 PM
How to protect a file/directory in your home login directory (RH Linux) jitsenho Linux - Security 9 07-03-2006 11:08 PM


All times are GMT -5. The time now is 02:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration