From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 19:35:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80E7016A4E3 for ; Thu, 28 Oct 2004 19:35:46 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 9DB2C43D31 for ; Thu, 28 Oct 2004 19:35:45 +0000 (GMT) (envelope-from krylon@gmx.net) Received: (qmail 7605 invoked by uid 65534); 28 Oct 2004 19:35:44 -0000 Received: from i53875882.versanet.de (EHLO [192.168.0.13]) (83.135.88.130) by mail.gmx.net (mp010) with SMTP; 28 Oct 2004 21:35:44 +0200 X-Authenticated: #685629 Message-ID: <41814A0F.7050909@gmx.net> Date: Thu, 28 Oct 2004 21:35:43 +0200 From: Benjamin Walkenhorst User-Agent: Mozilla Thunderbird 0.7.3 (X11/20041025) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dgw@liwest.at References: <200410282113.34529.dgw@liwest.at> In-Reply-To: <200410282113.34529.dgw@liwest.at> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 19:35:46 -0000 Hello, Daniela wrote: >I noticed a file called "regs" in my home directory (which is 21 megs in size) >and I have no clue where it comes from. The file format is not recognized by >any of the common tools. The creation date was about four days ago, so if I >created it, I would have remembered. >I looked at the file with the hexeditor and it seems to consist of lots of >four-byte values which look like addresses on the stack of an application. > > I've never heard of such a thing happening... >About half an hour before the creation date there were numerous failed login >attempts on the SSH port (all from the same IP), but my logs didn't show any >signs of an intrusion. >However, I suspect that I've been hacked. > Well, /if/ someone intruded your system, she/he surely would remove all possible evidence (unless it's someone *really* stupid). If your machine was compromised, I suggest, you take it offline *now* and inspect it thoroughly. There is a piece of software called "The Coroner's Toolkit" (TCK) which I think is made for that. More easily, you can checksum your system files and compare them with a clean install. If you have recent backups, you can use these at well. If you are afraid a rootkit might have been installed - I don't know if these exist for FreeBSD, but I wouldn't be surprised... - you should consider booting from trusted media and inspecting the system, since sometimes root kits hide the intruder's files (at least for systems like Linux and Solaris, but again, I don't think FreeBSD will be much different in that regard). >There was another strange occurence: >Yesterday my internet connection went down without a particular reason. >I tested a few other configurations and rebooted multiple times, and after the >fifth reboot (with the usual settings restored) it suddenly worked again. > > Mmmh. Maybe your provider just had some problem... Who knows? >Also there were quite a few crashes. > > Unless you have a static IP, it would be quite hard for the intruder to get in again. (OTOH, I don't think it would be hard to make a system send a message to the internet upon connection) Also, I suggest to look through your hardware - I had lots of crashes for some time, till I replaced my power supply. Now my machine runs like a champ. =) >In case anyone wants to know, the offending IP was 200.84.78.83. > > If it was a dial-up connection, that doesn't mean anything. Maybe it's also a machine that's already compromised. Before you start wearing a foil-hat, remember that all of the above only applies if your system was indeed compromised (how I /love/ that word, it sounds so serious...). It is after all still posibble that it's just... I don't know... something really weird. Sometimes applications will create such things for no apparent reason (from a users point of view at least). Of course, this would be unusual, but not impossible. Still, if you have security-concerns, I suggest you take the box offline and examine it. As a side-effect, this is probably very interesting. I wish you good luck (and that your system be still intact)! Kind regards, Benjamin