Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
11-14-2007, 02:48 AM
|
#16
|
LQ Guru
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509
|
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
|
|
|
11-14-2007, 03:19 AM
|
#17
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Quote:
You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
|
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.
Last edited by jschiwal; 11-14-2007 at 03:20 AM.
|
|
|
11-14-2007, 06:24 AM
|
#18
|
Member
Registered: Oct 2003
Posts: 354
Original Poster
Rep:
|
Thanks colucix,
I am always happy to learn from you experienced guys to determine the root cause of this issue.
I am the current admin of this machine, but it is not me who installed the system before. It is a new machine which is transferred to me.
Here is the content of /bin/mv, please feel free to let me know if you need more information to determine the root cause of why mv with filename containing space character is not working.
If you find the root cause, please also share with us here. :-)
more /bin/mv
echo "============================================================" >> /var/log/sysmon/sys.log
date >> /var/log/sysmon/sys.log
echo "user: $USER" >> /var/log/sysmon/sys.log
echo "Command: $PWD/mv $*" >> /var/log/sysmon/sys.log
echo "PID: $$" >> /var/log/sysmon/sys.log
echo >> /var/log/sysmon/sys.log
ps -f -p $$ >> /var/log/sysmon/sys.log
mv.orig $*
echo >> /var/log/sysmon/sys.log
Quote:
Originally Posted by colucix
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
|
regards,
George
|
|
|
11-14-2007, 06:27 AM
|
#19
|
Member
Registered: Oct 2003
Posts: 354
Original Poster
Rep:
|
Hi jschiwal,
Good imagination of the intent of the file and how hacker thinks -- seems you were hacker before? :-)
It is appreciated if you could provide some ideas of how to determine the root cause of this issue, why mv is not working with file name with space character.
Quote:
Originally Posted by jschiwal
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.
|
regards,
George
|
|
|
11-14-2007, 07:53 AM
|
#20
|
LQ Guru
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509
|
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440
UID PID PPID C STIME TTY TIME CMD
colucix 21440 21290 0 14:35 pts/4 00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.
If you decide to keep things are they are, you can edit the file /bin/mv and change the line
into
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.
You also can check the other commands that have been changed from the original installation of coreutils:
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
At this point the mystery is almost solved!
Last edited by colucix; 11-14-2007 at 07:59 AM.
|
|
|
11-14-2007, 07:58 AM
|
#21
|
LQ Guru
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509
|
Quote:
Originally Posted by jschiwal
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
|
jschiwal, you are definitively right!
|
|
|
11-14-2007, 08:39 AM
|
#22
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Code:
more /bin/mv
echo "============================================================" >> /var/log/sysmon/sys.log
date >> /var/log/sysmon/sys.log
echo "user: $USER" >> /var/log/sysmon/sys.log
echo "Command: $PWD/mv $*" >> /var/log/sysmon/sys.log
echo "PID: $$" >> /var/log/sysmon/sys.log
echo >> /var/log/sysmon/sys.log
ps -f -p $$ >> /var/log/sysmon/sys.log
mv.orig $*
echo >> /var/log/sysmon/sys.log
Okay
Every mv you do, it will append stuffs in /var/log/sysmon/sys.log, which means that any user has to have write access to this file
That's what I often do to track which process is playing with my wireless, replace iwconfig, ifconfig binaries by shells.
But "patching" mv is a bit overkill. I would remove mv and rename mv.orig to mv.
And then, how many other tools have been patched this way..
Now for the important part, can you check this:
Code:
ls -la /var/log/sysmon/sys.log
ls -lad /var/log/sysmon
Depending on the results, your box can be fully 0wned with 2 simple commands.
|
|
|
11-14-2007, 12:12 PM
|
#23
|
LQ Newbie
Registered: Jun 2006
Location: Austria
Distribution: RHEL AS 4
Posts: 26
Rep:
|
<removed due to redundancy>
Last edited by otheus; 11-14-2007 at 12:15 PM.
|
|
|
11-14-2007, 03:12 PM
|
#24
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Yes, the script logs information about every mv command. That would make it easier reverse mistakes.
I ran a test program to test whether this was right:
Code:
cat >test
echo "$@"
echo "$1" "$2"
./showargs "$*"
./showargs "$@"
[jschiwal@delllap ~]$ cat >showargs
echo ":$1:$2:$3:$4:"
[jschiwal@delllap ~]$ chmod +x test showargs
[jschiwal@delllap ~]$ ./test abc d\ e fgh
abc d e fgh
abc d e
:abc d e fgh::::
:abc:d e:fgh::
I was afraid embedded whitespace might cause a problem but I was wrong. Passing "$@" will work.
And, no, I was never a hacker. I just read on what to look out for. Recompiling basic commands on the system is one thing in their bag of tricks.
|
|
|
11-14-2007, 10:55 PM
|
#25
|
Member
Registered: Oct 2003
Posts: 354
Original Poster
Rep:
|
Thanks colucix,
I have read the book you mentioned,
Here is the related description, and I have also tried that your solution works. But I am still confused what is the differences between $* and $@ after reading the book.
For $*, the book says, seen as a single word, and for $@ the book says each parameter is a quoted string, that is, the parameters are passed on intact. Looks like $* and $@ are the same, right?
--------------------
$*
All of the positional parameters, seen as a single word
$@
Same as $*, but each parameter is a quoted string, that is, the parameters are passed on intact, without interpretation or expansion. This means, among other things, that each parameter in the argument list is seen as a separate word.
--------------------
Quote:
Originally Posted by colucix
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440
UID PID PPID C STIME TTY TIME CMD
colucix 21440 21290 0 14:35 pts/4 00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.
If you decide to keep things are they are, you can edit the file /bin/mv and change the line
into
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.
You also can check the other commands that have been changed from the original installation of coreutils:
Code:
rpm -qV coreutils
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/mv
S.5....T /bin/rm
At this point the mystery is almost solved!
|
regards,
George
|
|
|
11-14-2007, 10:58 PM
|
#26
|
Member
Registered: Oct 2003
Posts: 354
Original Poster
Rep:
|
Thanks jschiwal,
I have tried $@ works. But after reading the advanced Bash-Scripting guide section 9.1, I am still confused. What is the differences between $@ and $* (after reading the book, I can not tell the exact differences)? Could you see my post in #25 and comment please?
Quote:
Originally Posted by jschiwal
Yes, the script logs information about every mv command. That would make it easier reverse mistakes.
I ran a test program to test whether this was right:
Code:
cat >test
echo "$@"
echo "$1" "$2"
./showargs "$*"
./showargs "$@"
[jschiwal@delllap ~]$ cat >showargs
echo ":$1:$2:$3:$4:"
[jschiwal@delllap ~]$ chmod +x test showargs
[jschiwal@delllap ~]$ ./test abc d\ e fgh
abc d e fgh
abc d e
:abc d e fgh::::
:abc:d e:fgh::
I was afraid embedded whitespace might cause a problem but I was wrong. Passing "$@" will work.
And, no, I was never a hacker. I just read on what to look out for. Recompiling basic commands on the system is one thing in their bag of tricks.
|
regards,
George
|
|
|
11-17-2007, 09:41 PM
|
#27
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Suppose you have the arguments: a b "c d" "d e f".
"$@" will have 4 arguments: a, b, c d, d e f
$* will split them up into 7 separate arguments, while "$*" will join them into one argument with 7 letters and 6 spaces.
I'll use the "set" command to demonstrate. Enter "set <arguments>" will set the current shell arguments, so you can test things out interactively instead of having to write a script and calling it.
Code:
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> set "$@"
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set $*
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c
jschiwal@hpamd64:~> echo $4
d
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g
|
|
|
All times are GMT -5. The time now is 10:52 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|