From owner-freebsd-questions@FreeBSD.ORG Fri Oct 29 21:13:06 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 617A816A4CE for ; Fri, 29 Oct 2004 21:13:06 +0000 (GMT) Received: from lilzmailso01.liwest.at (lilzmailso01.liwest.at [212.33.55.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id E797E43D1F for ; Fri, 29 Oct 2004 21:13:05 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso01.liwest.at with esmtp (Exim 4.24) id 1CNe3h-0001oC-JZ; Fri, 29 Oct 2004 23:13:17 +0200 From: Daniela To: Miguel Mendez Date: Fri, 29 Oct 2004 23:14:16 +0000 User-Agent: KMail/1.5.3 References: <200410282113.34529.dgw@liwest.at> <20041028214443.2694d707.flynn@energyhq.es.eu.org> In-Reply-To: <20041028214443.2694d707.flynn@energyhq.es.eu.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410292314.16426.dgw@liwest.at> cc: questions@freebsd.org Subject: Re: Strange file appeared in my home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Oct 2004 21:13:06 -0000 On Thursday 28 October 2004 19:44, Miguel Mendez wrote: > On Thu, 28 Oct 2004 21:13:34 +0000 > Daniela wrote: > > Hi, > > > I noticed a file called "regs" in my home directory (which is 21 megs > > in size) and I have no clue where it comes from. The file format is > > not recognized by any of the common tools. The creation date was about > > four days ago, so if I created it, I would have remembered. > > I've never seen such file, my guess is that anyone breaking into someone > else's computer would hide his stuff, but you never know. Google didn't > turn any useful hit either. With this and the rest of your post I have > reasons to believe that you haven't been broken into. However, if you're > suspicious you could back up the 'evidence', in this case the regs file > and other unsual stuff you might find, wipe the system out and reinstall > and restore date from a good backup. > > > I looked at the file with the hexeditor and it seems to consist of > > lots of four-byte values which look like addresses on the stack of an > > application. > > What do those values look like? AFAIK the stack normally begins at (little endian) 0x40FCBFBF, and the file is full of values that are just a bit less than that, and there are also many values that are small enough to be indexes to arrays. There are no printable ASCII strings in it, and the whole file seems to be aligned on a 4-byte boundary. [...] > > However, I suspect that I've been hacked. There was another strange > > occurence: Yesterday my internet connection went down without a > > particular reason. I tested a few other configurations and rebooted > > multiple times, and after the fifth reboot (with the usual settings > > restored) it suddenly worked again. There seem to be no unusual > > processes running, but when I'm hacked, I can't trust the tools on my > > system any more. Also there were quite a few crashes. > > Do you run any services on that box besides ssh? > Apache/Sendmail/Whathaveyou? Anything unusual in the logs? I have numerous services active within my LAN, but none except SSH is reachable from outside. I regularly verify this by portscanning my machine from somewhere else. My local users can be trusted. > > Has anyone seen this file too? > > In case anyone wants to know, the offending IP was 200.84.78.83. > > That IP resolves to 200-84-78-83.genericrev.cantv.net, either a > compromised Windows box or a script-kiddiot computer, too lazy to nmap > it now :) I already tried to do a portscan, but the box either has a good firewall, or it is always offline. Thanks for your reply!