Not sure what precisely those strings are from, but I can tell you right now what they ARE (along with the "lists of commands") after looking at /bin/ps
That's the function table for the binary. The "@" sign you're seeing is actually represented as "^@" (one character, not two) - it's a null character (invisible to the naked eye in ASCII if it wasn't represented somehow. ^@ is the common way to do it). In most programming languages, a null character is used to mark the end of a string. In this case, the end of a function name. Having a readable representation of the function table is important for debugging (among other things). It means instead of having a backtrace that says "Function 0x08c4ffff returned 3" you can see "atoi returned 3". > -----Original Message----- > From: ubuntu-devel-discuss-boun...@lists.ubuntu.com [mailto:ubuntu- > devel-discuss-boun...@lists.ubuntu.com] On Behalf Of > whereislibertyandjust...@safe-mail.net > Sent: Wednesday, December 16, 2009 5:41 PM > To: ubuntu-devel-discuss@lists.ubuntu.com > Subject: gmonstart / jvregisterclasses in tons of binaries with > commands,malware? > > In linux binaries, in any linux distro, I've discovered the same > strings > which I believe may be due to a virus or trojan. > > Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. > > Whether I run 'strings' on the binary files or view with vim or gedit, > here > is what is always seen inside the binaries: > > > __gmon_start__ > _Jv_RegisterClasses > > Followed by commands which differ within each binary. > > If, by some luck, I've downloaded a fresh Linux ISO where binaries do > not > include the above two strings followed by commands, after I run an > update > the updated binaries suddenly contain the above two strings and other, > what > I believe to be, rogue strings. I've avoided the possible infection > with an > OpenBSD install, yet all the Linux installations and burned ISOs > contain > binaries with the above two strings followed by commands. > > Search using find within your bin and sbin directories for those two > strings > and see how many positives you find. Now use a text editor like vi or > gedit > and search through the gibberish, locate these strings and isolate the > commands, if any, which follow them. Searching for gmonstart, gmon, > registerclasses, jv, etc. variations of works. If you find results in > your > binaries, please copy/paste the commands following the gmonstart and > jvregisterclasses strings so I may compare them to mine. > > I've purchased Linux CDs from brick + mortar stores, downloaded ISOs > from > different physical locations and found some CDs contained these strings > in the binaries and one or two rare ones did not, but when > installed/updated > on a network connection the binaries replaced in the update process > would > show these strings!! These strings are not alone by themselves in the > binaries they follow with commands with a @ mark before each command. > > Google results are vague, some suggest shell backdoors, every Linux > user > I've asked to date calls me paranoid while at the same time this > knowledge > comes as a surprise to them, too, when they search their binaries and > find > the same strings. I'm amazed by how quickly some rush to judgement and > call > you a paranoid for being curious about the files on your system. The > strings > may/may not be common, but in comparing commands which follow these > strings > I've noticed some which seem down right malicious! > > Maybe they're right, I'm just paranoid, but what am I seeing and why > are these strings so common across Linux distros binaries, esp. the > Jv (java?) reference? Please, any help? > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss