* searching biosrootkit
@ 2019-12-26 12:21 Bios Rootkit
0 siblings, 0 replies; only message in thread
From: Bios Rootkit @ 2019-12-26 12:21 UTC (permalink / raw)
To: chipsec
[-- Attachment #1: Type: text/plain, Size: 2553 bytes --]
Hi,
I have some suspects I have a rootkit around, but I don't know where. I tried to dump my uefi installation and I extracted some strings.
This is what I found:
<30>[ 31.343046] systemd[1]: Set hostname to <amnesia>.
<30>[ 31.346636] systemd[1]: Initializing machine ID from random generator.
<29>[ 32.879891] systemd[1]: /lib/systemd/system/tor(a)default.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/tor/tor.pid
<28>[ 32.910650] systemd[1]: /lib/systemd/system/tails-gdm-failed-to-start.service:11: Ignoring unknown escape sequences: "MAX_LENGTH=254 ; PREFIX="Error starting GDM with your graphics card: " ; SUFFIX=". Please
take note of this error and visit https://tails.boum.org/gdm for troubleshooting." ; MAX_VIDEO_CARD_LENGTH=$(($MAX_LENGTH - $(echo -n "$PREFIX$SUFFIX" | wc -c))) ; VIDEO_CARD=$(lspci -d::0300 -nn | sed -E "s,.* VGA
compatible controller \[0300\]: *,," | cut -c "1-$MAX_VIDEO_CARD_LENGTH") ; /bin/plymouth display-message --text="$PREFIX$VIDEO_CARD$SUFFIX" "
<30>[ 30.848308] systemd[1]: Inserted module 'autofs4'
<30>[ 31.262810] systemd[1]: systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 defau
lt-hierarchy=hybrid)
<30>[ 31.282862] systemd[1]: Detected architecture x86-64.
<30>[ 31.355048] systemd[1]: Set hostname to <amnesia>.
<30>[ 31.356024] systemd[1]: Initializing machine ID from random generator.
<29>[ 32.853978] systemd[1]: /lib/systemd/system/tor(a)default.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/tor/tor.pid
Is it normal systemd logs in uefi image dump ?
I have used tails 3 or 4 times then could be that uefi take the systemd logs, I don't know.
I have also found string like the following:
ASCII: %Microsoft Windows Production PCA 20110
ASCII: Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
ASCII: >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
ASCII: Canonical Ltd.1402
ASCII: +Canonical Ltd. Master Certificate Authority0
but these whould be parts of the certificates because of secure boot.
I also tried to check the image against the chipsec blacklist module, it give me a loop error about lack of ram. It was something like "can't allocate ram" or something like that.
Do I have to open a bug ?
Thank you very much for your help.
Bios
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-12-26 12:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-26 12:21 searching biosrootkit Bios Rootkit
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).