execve("/bin/su", ["su"], [/* 19 vars */]) = 0 brk(0) = 0x8052240 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=11848, ...}) = 0 mmap(NULL, 11848, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 close(4) = 0 open("/lib/libcrypt.so.1", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=19536, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\r\0"..., 4096) = 4096 mmap(NULL, 182428, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40017000 mprotect(0x4001c000, 161948, PROT_NONE) = 0 mmap(0x4001c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x4001c000 mmap(0x4001d000, 157852, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4001d000 close(4) = 0 open("/lib/libpam.so.0", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=27116, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\22\0\000"..., 4096) = 4096 mmap(NULL, 30380, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40044000 mprotect(0x4004b000, 1708, PROT_NONE) = 0 mmap(0x4004b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x6000) = 0x4004b000 close(4) = 0 open("/lib/libpam_misc.so.0", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=6060, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\000"..., 4096) = 4096 mmap(NULL, 9324, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4004c000 mprotect(0x4004e000, 1132, PROT_NONE) = 0 mmap(0x4004e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x4004e000 close(4) = 0 open("/lib/libdl.so.2", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=9372, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\310\34"..., 4096) = 4096 mmap(NULL, 12396, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4004f000 mprotect(0x40051000, 4204, PROT_NONE) = 0 mmap(0x40051000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x40051000 close(4) = 0 open("/lib/libc.so.6", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0755, st_size=887636, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\244\213"..., 4096) = 4096 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40053000 mmap(NULL, 902012, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40054000 mprotect(0x40129000, 29564, PROT_NONE) = 0 mmap(0x40129000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xd4000) = 0x40129000 mmap(0x4012d000, 13180, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000 close(4) = 0 munmap(0x40014000, 11848) = 0 personality(PER_LINUX) = 0 getpid() = 259 brk(0) = 0x8052240 brk(0x8052278) = 0x8052278 brk(0x8053000) = 0x8053000 getuid() = 1000 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(0x8055000) = 0x8055000 readlink("/proc/self/fd/0", "/dev/tty1", 4095) = 9 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/0", "/dev/tty1", 511) = 9 access("/var/run/utmpd.rw", F_OK) = -1 ENOENT (No such file or directory) access("/var/run/utmpd.ro", F_OK) = -1 ENOENT (No such file or directory) access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) open("/var/run/utmp", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 lseek(4, 0, SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x40117f60, [], 0x4000000}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl(4, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(4, "\10\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\1\0\0\0002N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\10\0\0\0m\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\7\0\0\0\311\0\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl(4, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 alarm(0) = 1 close(4) = 0 getuid() = 1000 socket(PF_UNIX, SOCK_STREAM, 0) = 4 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=465, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 465 read(4, "", 4096) = 0 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=11848, ...}) = 0 mmap(NULL, 11848, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 close(4) = 0 open("/lib/libnss_compat.so.2", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=41308, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\31\0"..., 4096) = 4096 mmap(NULL, 44332, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40131000 mprotect(0x4013b000, 3372, PROT_NONE) = 0 mmap(0x4013b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x9000) = 0x4013b000 close(4) = 0 open("/lib/libnsl.so.1", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=75952, ...}) = 0 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360?\0"..., 4096) = 4096 mmap(NULL, 88168, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4013c000 mprotect(0x4014e000, 14440, PROT_NONE) = 0 mmap(0x4014e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11000) = 0x4014e000 mmap(0x40150000, 6248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40150000 close(4) = 0 munmap(0x40014000, 11848) = 0 uname({sys="Linux", node="bluesky", ...}) = 0 open("/etc/passwd", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=1414, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1414 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/passwd", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=1414, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1414 close(4) = 0 munmap(0x40014000, 4096) = 0 stat("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 open("/etc/pam.d/su", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=1087, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 read(4, "#\n# The PAM configuration file f"..., 4096) = 1087 open("/lib/security/pam_rootok.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0645, st_size=3944, ...}) = 0 read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\7\0\000"..., 4096) = 3944 mmap(NULL, 6996, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40015000 mprotect(0x40016000, 2900, PROT_NONE) = 0 mmap(0x40016000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0) = 0x40016000 close(5) = 0 open("/lib/security/pam_unix.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0645, st_size=37420, ...}) = 0 read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260!\0"..., 4096) = 4096 brk(0x8056000) = 0x8056000 mmap(NULL, 90196, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40152000 mprotect(0x4015b000, 53332, PROT_NONE) = 0 mmap(0x4015b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x8000) = 0x4015b000 mmap(0x4015c000, 49236, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4015c000 close(5) = 0 read(4, "", 4096) = 0 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/pam.d/other", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=341, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 read(4, "#\n# /etc/pam.d/other - specify t"..., 4096) = 341 read(4, "", 4096) = 0 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/passwd", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=1414, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1414 close(4) = 0 munmap(0x40014000, 4096) = 0 time(NULL) = 953306071 getuid() = 1000 getuid() = 1000 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 time([953306071]) = 953306071 write(2, "Password: ", 10) = 10 ioctl(0, SNDCTL_TMR_CONTINUE, {B38400 opost isig icanon -echo ...}) = 0 read(0, "tq7xk52\n", 511) = 8 ioctl(0, SNDCTL_TMR_STOP, {B38400 opost isig icanon echo ...}) = 0 write(2, "\n", 1) = 1 open("/etc/passwd", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=1414, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1414 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/shadow", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=927, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:oR63WCNQ5gSDI:11012:0:99999"..., 4096) = 927 close(4) = 0 munmap(0x40014000, 4096) = 0 getuid() = 1000 open("/etc/passwd", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=1414, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1414 close(4) = 0 munmap(0x40014000, 4096) = 0 open("/etc/shadow", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0645, st_size=927, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:oR63WCNQ5gSDI:11012:0:99999"..., 4096) = 927 close(4) = 0 munmap(0x40014000, 4096) = 0 time(NULL) = 953306076 open("/etc/login.defs", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0645, st_size=8642, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 read(4, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096 read(4, "it too; ulimit is in 512-byte un"..., 4096) = 4096 read(4, " OBSOLETED BY PAM ##############"..., 4096) = 450 read(4, "", 4096) = 0 close(4) = 0 munmap(0x40014000, 4096) = 0 brk(0x8057000) = 0x8057000 brk(0x805a000) = 0x805a000 time([953306076]) = 953306076 open("/etc/localtime", O_RDONLY) = 4 read(4, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10"..., 44) = 44 read(4, "\233\f\27`\233\325\332\360\234\331\256\220\235\244\265"..., 715) = 715 fstat(4, {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 read(4, "\0\0\34 \1\0\0\0\16\20\0\5\0\0\34 \1\0\0\0\16\20\0\5\0"..., 4096) = 78 close(4) = 0 munmap(0x40014000, 4096) = 0 getpid() = 259 rt_sigaction(SIGPIPE, {0x400ececc, [], 0x4000000}, {SIG_DFL}, 8) = 0 socket(PF_UNIX, SOCK_DGRAM, 0) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) close(4) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = 0 send(4, "<38>Mar 17 16:14:36 su[259]: + t"..., 48, 0) = 48 rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 setgid(0) = -1 EPERM (Operation not permitted) write(2, "setgid: Operation not permitted\n", 32) = 32 time([953306076]) = 953306076 getpid() = 259 rt_sigaction(SIGPIPE, {0x400ececc, [], 0x4000000}, {SIG_DFL}, 8) = 0 send(4, "<35>Mar 17 16:14:36 su[259]: bad"..., 88, 0) = 88 rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 close(4) = 0 munmap(0x40015000, 6996) = 0 munmap(0x40152000, 90196) = 0 _exit(1) = ?