Date: Fri, 29 Oct 2004 22:51:40 +0000 From: Daniela <dgw@liwest.at> To: Benjamin Walkenhorst <krylon@gmx.net> Cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory Message-ID: <200410292251.40307.dgw@liwest.at> In-Reply-To: <41814A0F.7050909@gmx.net> References: <200410282113.34529.dgw@liwest.at> <41814A0F.7050909@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 28 October 2004 19:35, Benjamin Walkenhorst wrote: > Hello, > > Daniela wrote: > >I noticed a file called "regs" in my home directory (which is 21 megs in > > size) and I have no clue where it comes from. The file format is not > > recognized by any of the common tools. The creation date was about four > > days ago, so if I created it, I would have remembered. > >I looked at the file with the hexeditor and it seems to consist of lots of > >four-byte values which look like addresses on the stack of an application. > > I've never heard of such a thing happening... > > >About half an hour before the creation date there were numerous failed > > login attempts on the SSH port (all from the same IP), but my logs didn't > > show any signs of an intrusion. > >However, I suspect that I've been hacked. > > Well, /if/ someone intruded your system, she/he surely would remove all > possible evidence > (unless it's someone *really* stupid). It's perfectly possible to forget a file. Maybe the intruder saw me logging in and was too busy with deleting the logfiles before I notice it. > If your machine was compromised, I suggest, you take it offline *now* > and inspect it > thoroughly. There is a piece of software called "The Coroner's Toolkit" > (TCK) which I > think is made for that. I quickly checked my system with the native FreeBSD tool "chkrootkit". It showed the following files as infected: ps, ls, date, chsh and chfn. Now I'm really scared. However, I heard that this tool has a bug which gives false alarm for five files, but I don't know if I have a buggy version. > More easily, you can checksum your system files and compare them with a > clean install. > If you have recent backups, you can use these at well. That's not so easy for me, because I'm tracking -STABLE and have debug symbols everywhere. I do have backups, but currently I don't have the time for that. Moreover, I planned to reformat anyway as soon as 5.3 is out. > If you are afraid a rootkit might have been installed - I don't know if > these exist for FreeBSD, > but I wouldn't be surprised... - you should consider booting from > trusted media and inspecting > the system, since sometimes root kits hide the intruder's files (at > least for systems like Linux > and Solaris, but again, I don't think FreeBSD will be much different in > that regard). > > >There was another strange occurence: > >Yesterday my internet connection went down without a particular reason. > >I tested a few other configurations and rebooted multiple times, and after > > the fifth reboot (with the usual settings restored) it suddenly worked > > again. > > Mmmh. Maybe your provider just had some problem... Who knows? Unlikely, because other people with the same ISP didn't have problems. > >Also there were quite a few crashes. > > Unless you have a static IP, it would be quite hard for the intruder to > get in again. > (OTOH, I don't think it would be hard to make a system send a message to > the internet > upon connection) Of course I have a static IP, I'm running an SSH server. [...] > It is after all still posibble that it's just... I don't know... > something really weird. Sometimes > applications will create such things for no apparent reason (from a > users point of view at > least). Of course, this would be unusual, but not impossible. I don't think this is the reason. On the creation day I didn't run any programs other than the ones I already know, and no one except me has root (hopefully this is still the case). > Still, if you have security-concerns, I suggest you take the box offline > and examine it. > As a side-effect, this is probably very interesting. Thanks for your reply!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410292251.40307.dgw>