LinuxQuestions.org - suspicious a.out file in home directory

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - suspicious a.out file in home directory (https://www.linuxquestions.org/questions/slackware-14/suspicious-a-out-file-in-home-directory-4175493269/)

suspicious a.out file in home directory

hi folks,

from time to time an a.out file appears in my home directory of my slackware64 14.1 box.The owner of this file is my user account. I feel unconfortable about it and want to ask if anyone knows whats going on here. You can find the gzipped file here:

http://laokoon.in-berlin.de/~heiko/a.out.gz

I checked my system with rkhunter - no errors. If you need more informations let me know.

regards,

heiko

It happened with me too, I had to remove it like twice and then it never came back again.

Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?

Thanks for the replies.

Quote:

Originally Posted by stormtracknole (Post 5108754)

Perhaps this would be of help?

http://en.wikipedia.org/wiki/A.out

Are you compiling software using your standard user account by any chance?

I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.

this doesnt reveal much:

Code:

[schneidz@hyper ~]$ file a.out 

a.out: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped

[schneidz@hyper ~]$ strings a.out 

.symtab

.strtab

.shstrtab

.text

.data

.bss

[schneidz@hyper ~]$

has anyone run it on something like a live-usb ?

It's about as empty as a correctly-formatted ELF file can be. All those sections are empty and define no symbols. It's only "suspicious" for small values of "suspicious" ;)

Code:

$ readelf -a a.out 

ELF Header:

  Magic:  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 

  Class:                            ELF64

  Data:                              2's complement, little endian

  Version:                          1 (current)

  OS/ABI:                            UNIX - System V

  ABI Version:                      0

  Type:                              REL (Relocatable file)

  Machine:                          Advanced Micro Devices X86-64

  Version:                          0x1

  Entry point address:              0x0

  Start of program headers:          0 (bytes into file)

  Start of section headers:          112 (bytes into file)

  Flags:                            0x0

  Size of this header:              64 (bytes)

  Size of program headers:          0 (bytes)

  Number of program headers:        0

  Size of section headers:          64 (bytes)

  Number of section headers:        7

  Section header string table index: 4



Section Headers:

  [Nr] Name              Type            Address          Offset

      Size              EntSize          Flags  Link  Info  Align

  [ 0]                  NULL            0000000000000000  00000000

      0000000000000000  0000000000000000          0    0    0

  [ 1] .text            PROGBITS        0000000000000000  00000040

      0000000000000000  0000000000000000  AX      0    0    4

  [ 2] .data            PROGBITS        0000000000000000  00000040

      0000000000000000  0000000000000000  WA      0    0    4

  [ 3] .bss              NOBITS          0000000000000000  00000040

      0000000000000000  0000000000000000  WA      0    0    4

  [ 4] .shstrtab        STRTAB          0000000000000000  00000040

      000000000000002c  0000000000000000          0    0    1

  [ 5] .symtab          SYMTAB          0000000000000000  00000230

      0000000000000060  0000000000000018          6    4    8

  [ 6] .strtab          STRTAB          0000000000000000  00000290

      0000000000000001  0000000000000000          0    0    1

Key to Flags:

  W (write), A (alloc), X (execute), M (merge), S (strings), l (large)

  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)

  O (extra OS processing required) o (OS specific), p (processor specific)



There are no section groups in this file.



There are no program headers in this file.



There are no relocations in this file.



The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.



Symbol table '.symtab' contains 4 entries:

  Num:    Value          Size Type    Bind  Vis      Ndx Name

    0: 0000000000000000    0 NOTYPE  LOCAL  DEFAULT  UND 

    1: 0000000000000000    0 SECTION LOCAL  DEFAULT    1 

    2: 0000000000000000    0 SECTION LOCAL  DEFAULT    2 

    3: 0000000000000000    0 SECTION LOCAL  DEFAULT    3 



No version information found in this file.

$

Perhaps some makefile you're running is a bit broken, or maybe you have a bash alias or script that runs some 'cc' or 'ld' command that is being run accidentally?

Quote:

Originally Posted by dederon (Post 5108763)

Thanks for the replies.

I know what an a.out file is. I just wonder how it got there. I do compile software with my standard user account, but I have a dedicated build directory. I did not compile anything when this file was created.

I've seen this happen to me before from time to time, but I never figured out what caused it. I am curious to see if you get to the source of this.

Quick analyzing this little program with a decompiler, I discovered that it do NOTHING.

A good aproximate of its source code is:

Code:

int main() {

  return 0;

}

That glorious in-utility make me to believe that it is just some remain of a past compilation. More precise, I believe, somewhere, time ago, a configure script tried to see if gcc can create a a.out executable, then failed to properly clean its own dirty...

That's all guys, we can move along. :hattip:

thanks for all your help, i did even learn some things by reading your replies. great.

even though the program won't do any harm to my system i am still worried, as i don't know where this program comes from. i keep an eye on it. thank you.

ok, again a found an a.out file in my home directory. i set up a script to watch this directory and, if a.out pops up again, log some data and make some noise:

Code:

#!/bin/bash

echo "this program needs xterm!"

xset b on

while inotifywait -e create $HOME; do

        if ls $HOME/a.out > /dev/null; then

                date >> log

                echo "---------------" >> log

                /bin/netstat -atp >> log

                echo "---------------" >> log

                /usr/bin/ps axww >> log

                echo "---------------" >> log

                while true; do

                        echo -ne '\007'

                        /usr/bin/sleep 2

                done

        fi

done

any more ideas what i could do or what kind of system information i should add for logging?

I shot in the dark here. What does:

Code:

lsof | grep -i a.out

shows?

---------- Post added 02-02-14 at 09:21 AM ----------

Perhaps incorporate that into your script to see if it can catch it in the act.

In the same idea as stormtracknole, a way to track this kind of things would be to write a gcc/g++ hook in bash, to log any call to the compiler...
This hook could even "break" or notify in real time whenever a "a.out" is being built (or a call without '-o' flag).

Cheers

Garry.

Quote:

Originally Posted by stormtracknole (Post 5109675)

IPerhaps incorporate that into your script to see if it can catch it in the act.

in the first version of my script i logged the output of

Code:

fuser $HOME/a.out

, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.

Quote:

Originally Posted by dederon (Post 5110340)

in the first version of my script i logged the output of

Code:

fuser $HOME/a.out

, but some tests revealed that it wouldn't print anything. it won't hurt, so i put the "lsof" line into my script.

Great! Keep us updated if you can.

Looks like something has been testing the compiler, like the test at the end of version-check.sh from LFS:

Code:

echo 'main(){}' > dummy.c && g++ -o dummy dummy.c

if [ -x dummy ]

  then echo "g++ compilation OK";

  else echo "g++ compilation failed"; fi

rm -f dummy.c dummy