From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 19:44:09 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FF8516A4CE for ; Thu, 28 Oct 2004 19:44:09 +0000 (GMT) Received: from mindfields.energyhq.es.eu.org (73.Red-213-97-200.pooles.rima-tde.net [213.97.200.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0AC443D58 for ; Thu, 28 Oct 2004 19:43:54 +0000 (GMT) (envelope-from flynn@energyhq.es.eu.org) Received: from scienide.energyhq.es.eu.org (scienide.energyhq.es.eu.org [192.168.100.1]) by mindfields.energyhq.es.eu.org (Postfix) with SMTP id F3D9734FEE; Thu, 28 Oct 2004 21:43:25 +0200 (CEST) Date: Thu, 28 Oct 2004 21:44:43 +0200 From: Miguel Mendez To: dgw@liwest.at Message-Id: <20041028214443.2694d707.flynn@energyhq.es.eu.org> In-Reply-To: <200410282113.34529.dgw@liwest.at> References: <200410282113.34529.dgw@liwest.at> X-Mailer: Sylpheed version 0.9.12-gtk2-20040918 (GTK+ 2.4.9; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R" cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 19:44:09 -0000 --Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Thu, 28 Oct 2004 21:13:34 +0000 Daniela wrote: Hi, > I noticed a file called "regs" in my home directory (which is 21 megs > in size) and I have no clue where it comes from. The file format is > not recognized by any of the common tools. The creation date was about > four days ago, so if I created it, I would have remembered. I've never seen such file, my guess is that anyone breaking into someone else's computer would hide his stuff, but you never know. Google didn't turn any useful hit either. With this and the rest of your post I have reasons to believe that you haven't been broken into. However, if you're suspicious you could back up the 'evidence', in this case the regs file and other unsual stuff you might find, wipe the system out and reinstall and restore date from a good backup. > I looked at the file with the hexeditor and it seems to consist of > lots of four-byte values which look like addresses on the stack of an > application. What do those values look like? > About half an hour before the creation date there were numerous failed > login attempts on the SSH port (all from the same IP), but my logs > didn't show any signs of an intrusion. The ssh scans seem to be common. There's an automated tool out there with a hardcoded weak name/pass list. My suggestion for that is, if you only need ssh access from specific places setup a firewall rule to allow only those IP addresses. > However, I suspect that I've been hacked. There was another strange > occurence: Yesterday my internet connection went down without a > particular reason. I tested a few other configurations and rebooted > multiple times, and after the fifth reboot (with the usual settings > restored) it suddenly worked again. There seem to be no unusual > processes running, but when I'm hacked, I can't trust the tools on my > system any more. Also there were quite a few crashes. Do you run any services on that box besides ssh? Apache/Sendmail/Whathaveyou? Anything unusual in the logs? > Has anyone seen this file too? > In case anyone wants to know, the offending IP was 200.84.78.83. That IP resolves to 200-84-78-83.genericrev.cantv.net, either a compromised Windows box or a script-kiddiot computer, too lazy to nmap it now :) Cheers, -- Miguel Mendez http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 Note: All HTML mail goes to /dev/null --Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBgUwunLctrNyFFPERAmZ8AKC0NvFtD+lfMIZZ58LJjj8B/3OcYgCeJHVV NhBWiQQzPl5CPBCwjJsVjoQ= =JFkf -----END PGP SIGNATURE----- --Signature=_Thu__28_Oct_2004_21_44_43_+0200_Ru1m_sQLZt+Rkf0R--