Strange file appeared in my home directory

Miguel Mendez flynn at energyhq.es.eu.org
Thu Oct 28 12:44:09 PDT 2004


On Thu, 28 Oct 2004 21:13:34 +0000
Daniela <dgw at liwest.at> wrote:

Hi,

> I noticed a file called "regs" in my home directory (which is 21 megs
> in size) and I have no clue where it comes from. The file format is
> not recognized by any of the common tools. The creation date was about
> four days ago, so if I created it, I would have remembered.

I've never seen such file, my guess is that anyone breaking into someone
else's computer would hide his stuff, but you never know. Google didn't
turn any useful hit either. With this and the rest of your post I have
reasons to believe that you haven't been broken into. However, if you're
suspicious you could back up the 'evidence', in this case the regs file
and other unsual stuff you might find, wipe the system out and reinstall
and restore date from a good backup.

> I looked at the file with the hexeditor and it seems to consist of
> lots of four-byte values which look like addresses on the stack of an
> application.

What do those values look like?

> About half an hour before the creation date there were numerous failed
> login attempts on the SSH port (all from the same IP), but my logs
> didn't show any signs of an intrusion.

The ssh scans seem to be common. There's an automated tool out there
with a hardcoded weak name/pass list. My suggestion for that is, if you
only need ssh access from specific places setup a firewall rule to allow
only those IP addresses.

> However, I suspect that I've been hacked. There was another strange
> occurence: Yesterday my internet connection went down without a
> particular reason. I tested a few other configurations and rebooted
> multiple times, and after the fifth reboot (with the usual settings
> restored) it suddenly worked again. There seem to be no unusual
> processes running, but when I'm hacked, I can't trust the tools on my
> system any more. Also there were quite a few crashes.

Do you run any services on that box besides ssh?
Apache/Sendmail/Whathaveyou? Anything unusual in the logs?

> Has anyone seen this file too?
> In case anyone wants to know, the offending IP was 200.84.78.83.

That IP resolves to 200-84-78-83.genericrev.cantv.net, either a
compromised Windows box or a script-kiddiot computer, too lazy to nmap
it now :)

Cheers,
-- 
	Miguel Mendez <flynn at energyhq.es.eu.org>
	http://www.energyhq.es.eu.org
	PGP Key: 0xDC8514F1
	Note: All HTML mail goes to /dev/null
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041028/8192a03f/attachment.bin


More information about the freebsd-questions mailing list