From owner-freebsd-questions Tue Aug 1 19:30:44 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.bnetmd.net (ns1.bnetmd.net [64.23.0.71]) by hub.freebsd.org (Postfix) with ESMTP id 7456837BF6A for ; Tue, 1 Aug 2000 19:30:40 -0700 (PDT) (envelope-from freebsd@mail.bnetmd.net) Received: from localhost (freebsd@localhost) by mail.bnetmd.net (8.9.3/8.9.3) with ESMTP id WAA19839; Tue, 1 Aug 2000 22:28:09 -0400 (EDT) (envelope-from freebsd@mail.bnetmd.net) Date: Tue, 1 Aug 2000 22:28:09 -0400 (EDT) From: Glenn McCalley To: Josh Paetzel Cc: freebsd-questions@FreeBSD.ORG Subject: Re: What the heck is -this- file? In-Reply-To: <012301bffc28$bdd3a9c0$48440ace@mark8> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Malicious - my first thought as well. This machine is a box leased to a=20 single client with maybe 6 ID's on it, so if it's someone not nice I'd say it's coming from outside. Tried my best to see if there really -is- some file content there despite the 0 byte count but couldn't see anything. Oh well, suppose it's time for them to do the security review. Thanks! Glenn. On Tue, 1 Aug 2000, Josh Paetzel wrote: >=20 > ----- Original Message ----- > From: "Glenn McCalley" > To: "Josh Paetzel" > Cc: > Sent: Tuesday, August 01, 2000 8:59 PM > Subject: Re: What the heck is -this- file? >=20 >=20 > > > > Ahhh, but you don't understand... > > That's just the point - the "gobblygook" -is- the file name as shown by > > "ls -l" > > Glenn. > > >=20 > In that case I would start to wonder about the integrity of my system fro= m > either a hardware standpoint, or perhaps a malicious "user" standpoint. >=20 >=20 > > On Tue, 1 Aug 2000, Josh Paetzel wrote: > > > > > > > > ----- Original Message ----- > > > From: "Glenn McCalley" > > > To: > > > Sent: Tuesday, August 01, 2000 7:56 PM > > > Subject: What the heck is -this- file? > > > > > > > > > > > > > > What??!! > > > > Just poking around and found the following file entry in > /apache/htdocs: > > > > > > > > -rwsr-sr-t 1 root wheel 0 Mar 28 15:33 J-=FFyq>=F6t= n0=1D=EA? > > > > =EE=D3=A5~o=A8Q=8D=11R>s=D5:N5Y;=CDjO=BB=FA=D5-Ou=C58DW=C7<=D9=A25l= n}e8$=E2=E2'Y=F6E"=AEcFk=BA=F6=A1=04 > > > > =F5=CDfC=EBa=D6R s > > > > > > > > Kinda odd that it's suid, owned by root, with a sticky bit set? -0= - > > > > bytes in size? Is that right? > > > > > > > > I was able to delete it, but other than sunspots, any thoughts on h= ow > it > > > > got there? > > > > > > > > Thanks! > > > > Glenn. > > > > > > > > > > I don't know, but hopefully the same thing that made that file didn't > put > > > the gobblygook into you email as well. :) > > > > > > Josh >=20 >=20 >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message