From owner-freebsd-isp Tue Dec 4 8: 8: 4 2001 Delivered-To: freebsd-isp@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id CBE9337B416 for ; Tue, 4 Dec 2001 08:08:01 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id fB4G6Ip34323; Tue, 4 Dec 2001 11:06:18 -0500 (EST) (envelope-from bv) Date: Tue, 4 Dec 2001 11:06:18 -0500 From: Bill Vermillion To: Blake Crosby Cc: isp-webhosting@isp-webhosting.com, freebsd-isp@FreeBSD.ORG Subject: Re: Weird file in /root Message-ID: <20011204110618.A34278@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: ; from dev@samurai.com on Tue, Dec 04, 2001 at 10:47:08AM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Dec 04, 2001 at 10:47:08AM -0500, Blake Crosby thus spoke: > I am somewhat concerned at this file I found: > 7524 -rwsr-sr-t 1 root wheel 0 Nov 30 16:41:10 2001 > /root/gA=1C=A0/=82=F81=95=C1=CA=FD)=8F=ADOK=D7R=13=AE =17=E9iz > =1E)=C4W=1A*N=E5=D08g=DC?=96a^'=0C=B4=A2=15%=0E=DF=BE=B9=FA=9E=89=04=AF= =BEt=8D=F1eu=A8?*!=8A=87!=02=D7=A6X=A4=1DR=ACm=CE=DAs=FC:=F6=99|e=9F=BFK"= =05G =0F=C7=F2 Any time I find weird files the first things I do is run strings on them and file on it to see what may be in it and if it's identifiable as any known types. Then I move it somewhere if I need to investiate more, or remove it depending on what I found with the strings and file command. The strings can sometimes point to other files that a virus may have installed in hidden directories for example. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message