Date: Thu, 28 Oct 2004 21:35:43 +0200 From: Benjamin Walkenhorst <krylon@gmx.net> To: dgw@liwest.at Cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory Message-ID: <41814A0F.7050909@gmx.net> In-Reply-To: <200410282113.34529.dgw@liwest.at> References: <200410282113.34529.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Daniela wrote: >I noticed a file called "regs" in my home directory (which is 21 megs in size) >and I have no clue where it comes from. The file format is not recognized by >any of the common tools. The creation date was about four days ago, so if I >created it, I would have remembered. >I looked at the file with the hexeditor and it seems to consist of lots of >four-byte values which look like addresses on the stack of an application. > > I've never heard of such a thing happening... >About half an hour before the creation date there were numerous failed login >attempts on the SSH port (all from the same IP), but my logs didn't show any >signs of an intrusion. >However, I suspect that I've been hacked. > Well, /if/ someone intruded your system, she/he surely would remove all possible evidence (unless it's someone *really* stupid). If your machine was compromised, I suggest, you take it offline *now* and inspect it thoroughly. There is a piece of software called "The Coroner's Toolkit" (TCK) which I think is made for that. More easily, you can checksum your system files and compare them with a clean install. If you have recent backups, you can use these at well. If you are afraid a rootkit might have been installed - I don't know if these exist for FreeBSD, but I wouldn't be surprised... - you should consider booting from trusted media and inspecting the system, since sometimes root kits hide the intruder's files (at least for systems like Linux and Solaris, but again, I don't think FreeBSD will be much different in that regard). >There was another strange occurence: >Yesterday my internet connection went down without a particular reason. >I tested a few other configurations and rebooted multiple times, and after the >fifth reboot (with the usual settings restored) it suddenly worked again. > > Mmmh. Maybe your provider just had some problem... Who knows? >Also there were quite a few crashes. > > Unless you have a static IP, it would be quite hard for the intruder to get in again. (OTOH, I don't think it would be hard to make a system send a message to the internet upon connection) Also, I suggest to look through your hardware - I had lots of crashes for some time, till I replaced my power supply. Now my machine runs like a champ. =) >In case anyone wants to know, the offending IP was 200.84.78.83. > > If it was a dial-up connection, that doesn't mean anything. Maybe it's also a machine that's already compromised. Before you start wearing a foil-hat, remember that all of the above only applies if your system was indeed compromised (how I /love/ that word, it sounds so serious...). It is after all still posibble that it's just... I don't know... something really weird. Sometimes applications will create such things for no apparent reason (from a users point of view at least). Of course, this would be unusual, but not impossible. Still, if you have security-concerns, I suggest you take the box offline and examine it. As a side-effect, this is probably very interesting. I wish you good luck (and that your system be still intact)! Kind regards, Benjamin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41814A0F.7050909>