Strange file appeared in my home directory

Benjamin Walkenhorst krylon at
Thu Oct 28 12:35:46 PDT 2004


Daniela wrote:

>I noticed a file called "regs" in my home directory (which is 21 megs in size) 
>and I have no clue where it comes from. The file format is not recognized by 
>any of the common tools. The creation date was about four days ago, so if I 
>created it, I would have remembered.
>I looked at the file with the hexeditor and it seems to consist of lots of 
>four-byte values which look like addresses on the stack of an application.

I've never heard of such a thing happening...

>About half an hour before the creation date there were numerous failed login 
>attempts on the SSH port (all from the same IP), but my logs didn't show any 
>signs of an intrusion.
>However, I suspect that I've been hacked. 
Well, /if/ someone intruded your system, she/he surely would remove all 
possible evidence
(unless it's someone *really* stupid).

If your machine was compromised, I suggest, you take it offline *now* 
and inspect it
thoroughly. There is a piece of software called "The Coroner's Toolkit" 
(TCK) which I
think is made for that.
More easily, you can checksum your system files and compare them with a 
clean install.
If you have recent backups, you can use these at well.

If you are afraid a rootkit might have been installed - I don't know if 
these exist for FreeBSD,
but I wouldn't be surprised... - you should consider booting from 
trusted media and inspecting
the system, since sometimes root kits hide the intruder's files (at 
least for systems like Linux
and Solaris, but again, I don't think FreeBSD will be much different in 
that regard).

>There was another strange occurence: 
>Yesterday my internet connection went down without a particular reason.
>I tested a few other configurations and rebooted multiple times, and after the 
>fifth reboot (with the usual settings restored) it suddenly worked again.

Mmmh. Maybe your provider just had some problem... Who knows?

>Also there were quite a few crashes.

Unless you have a static IP, it would be quite hard for the intruder to 
get in again.
(OTOH, I don't think it would be hard to make a system send a message to 
the internet
upon connection)

Also, I suggest to look through your hardware - I had lots of crashes 
for some time, till
I replaced my power supply. Now my machine runs like a champ. =)

>In case anyone wants to know, the offending IP was
If it was a dial-up connection, that doesn't mean anything. Maybe it's 
also a machine that's
already compromised.

Before you start wearing a foil-hat, remember that all of the above only 
applies if your
system was indeed compromised (how I /love/ that word, it sounds so 
It is after all still posibble that it's just... I don't know... 
something really weird. Sometimes
applications will create such things for no apparent reason (from a 
users point of view at
least). Of course, this would be unusual, but not impossible.

Still, if you have security-concerns, I suggest you take the box offline 
and examine it.
As a side-effect, this is probably very interesting.

I wish you good luck (and that your system be still intact)!

Kind regards,

More information about the freebsd-questions mailing list