From owner-freebsd-questions@FreeBSD.ORG Fri Oct 29 20:50:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7641616A4CE for ; Fri, 29 Oct 2004 20:50:30 +0000 (GMT) Received: from lilzmailso02.liwest.at (lilzmailso02.liwest.at [212.33.55.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD14C43D48 for ; Fri, 29 Oct 2004 20:50:29 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso02.liwest.at with esmtp (Exim 4.24) id 1CNdhp-0006Q3-FI; Fri, 29 Oct 2004 22:50:41 +0200 From: Daniela To: Benjamin Walkenhorst Date: Fri, 29 Oct 2004 22:51:40 +0000 User-Agent: KMail/1.5.3 References: <200410282113.34529.dgw@liwest.at> <41814A0F.7050909@gmx.net> In-Reply-To: <41814A0F.7050909@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410292251.40307.dgw@liwest.at> cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Oct 2004 20:50:30 -0000 On Thursday 28 October 2004 19:35, Benjamin Walkenhorst wrote: > Hello, > > Daniela wrote: > >I noticed a file called "regs" in my home directory (which is 21 megs in > > size) and I have no clue where it comes from. The file format is not > > recognized by any of the common tools. The creation date was about four > > days ago, so if I created it, I would have remembered. > >I looked at the file with the hexeditor and it seems to consist of lots of > >four-byte values which look like addresses on the stack of an application. > > I've never heard of such a thing happening... > > >About half an hour before the creation date there were numerous failed > > login attempts on the SSH port (all from the same IP), but my logs didn't > > show any signs of an intrusion. > >However, I suspect that I've been hacked. > > Well, /if/ someone intruded your system, she/he surely would remove all > possible evidence > (unless it's someone *really* stupid). It's perfectly possible to forget a file. Maybe the intruder saw me logging in and was too busy with deleting the logfiles before I notice it. > If your machine was compromised, I suggest, you take it offline *now* > and inspect it > thoroughly. There is a piece of software called "The Coroner's Toolkit" > (TCK) which I > think is made for that. I quickly checked my system with the native FreeBSD tool "chkrootkit". It showed the following files as infected: ps, ls, date, chsh and chfn. Now I'm really scared. However, I heard that this tool has a bug which gives false alarm for five files, but I don't know if I have a buggy version. > More easily, you can checksum your system files and compare them with a > clean install. > If you have recent backups, you can use these at well. That's not so easy for me, because I'm tracking -STABLE and have debug symbols everywhere. I do have backups, but currently I don't have the time for that. Moreover, I planned to reformat anyway as soon as 5.3 is out. > If you are afraid a rootkit might have been installed - I don't know if > these exist for FreeBSD, > but I wouldn't be surprised... - you should consider booting from > trusted media and inspecting > the system, since sometimes root kits hide the intruder's files (at > least for systems like Linux > and Solaris, but again, I don't think FreeBSD will be much different in > that regard). > > >There was another strange occurence: > >Yesterday my internet connection went down without a particular reason. > >I tested a few other configurations and rebooted multiple times, and after > > the fifth reboot (with the usual settings restored) it suddenly worked > > again. > > Mmmh. Maybe your provider just had some problem... Who knows? Unlikely, because other people with the same ISP didn't have problems. > >Also there were quite a few crashes. > > Unless you have a static IP, it would be quite hard for the intruder to > get in again. > (OTOH, I don't think it would be hard to make a system send a message to > the internet > upon connection) Of course I have a static IP, I'm running an SSH server. [...] > It is after all still posibble that it's just... I don't know... > something really weird. Sometimes > applications will create such things for no apparent reason (from a > users point of view at > least). Of course, this would be unusual, but not impossible. I don't think this is the reason. On the creation day I didn't run any programs other than the ones I already know, and no one except me has root (hopefully this is still the case). > Still, if you have security-concerns, I suggest you take the box offline > and examine it. > As a side-effect, this is probably very interesting. Thanks for your reply!