Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Oct 2004 21:44:43 +0200
From:      Miguel Mendez <flynn@energyhq.es.eu.org>
To:        dgw@liwest.at
Cc:        questions@freebsd.org
Subject:   Re: Strange file appeared in my home directory
Message-ID:  <20041028214443.2694d707.flynn@energyhq.es.eu.org>
In-Reply-To: <200410282113.34529.dgw@liwest.at>
References:  <200410282113.34529.dgw@liwest.at>

next in thread | previous in thread | raw e-mail | index | archive | help
--Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

On Thu, 28 Oct 2004 21:13:34 +0000
Daniela <dgw@liwest.at> wrote:

Hi,

> I noticed a file called "regs" in my home directory (which is 21 megs
> in size) and I have no clue where it comes from. The file format is
> not recognized by any of the common tools. The creation date was about
> four days ago, so if I created it, I would have remembered.

I've never seen such file, my guess is that anyone breaking into someone
else's computer would hide his stuff, but you never know. Google didn't
turn any useful hit either. With this and the rest of your post I have
reasons to believe that you haven't been broken into. However, if you're
suspicious you could back up the 'evidence', in this case the regs file
and other unsual stuff you might find, wipe the system out and reinstall
and restore date from a good backup.

> I looked at the file with the hexeditor and it seems to consist of
> lots of four-byte values which look like addresses on the stack of an
> application.

What do those values look like?

> About half an hour before the creation date there were numerous failed
> login attempts on the SSH port (all from the same IP), but my logs
> didn't show any signs of an intrusion.

The ssh scans seem to be common. There's an automated tool out there
with a hardcoded weak name/pass list. My suggestion for that is, if you
only need ssh access from specific places setup a firewall rule to allow
only those IP addresses.

> However, I suspect that I've been hacked. There was another strange
> occurence: Yesterday my internet connection went down without a
> particular reason. I tested a few other configurations and rebooted
> multiple times, and after the fifth reboot (with the usual settings
> restored) it suddenly worked again. There seem to be no unusual
> processes running, but when I'm hacked, I can't trust the tools on my
> system any more. Also there were quite a few crashes.

Do you run any services on that box besides ssh?
Apache/Sendmail/Whathaveyou? Anything unusual in the logs?

> Has anyone seen this file too?
> In case anyone wants to know, the offending IP was 200.84.78.83.

That IP resolves to 200-84-78-83.genericrev.cantv.net, either a
compromised Windows box or a script-kiddiot computer, too lazy to nmap
it now :)

Cheers,
-- 
	Miguel Mendez <flynn@energyhq.es.eu.org>
	http://www.energyhq.es.eu.org
	PGP Key: 0xDC8514F1
	Note: All HTML mail goes to /dev/null

--Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBgUwunLctrNyFFPERAmZ8AKC0NvFtD+lfMIZZ58LJjj8B/3OcYgCeJHVV
NhBWiQQzPl5CPBCwjJsVjoQ=
=JFkf
-----END PGP SIGNATURE-----

--Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041028214443.2694d707.flynn>