Strange file appeared in my home directory
Benjamin Walkenhorst
krylon at gmx.net
Thu Oct 28 12:35:46 PDT 2004
Hello,
Daniela wrote:
>I noticed a file called "regs" in my home directory (which is 21 megs in size)
>and I have no clue where it comes from. The file format is not recognized by
>any of the common tools. The creation date was about four days ago, so if I
>created it, I would have remembered.
>I looked at the file with the hexeditor and it seems to consist of lots of
>four-byte values which look like addresses on the stack of an application.
>
>
I've never heard of such a thing happening...
>About half an hour before the creation date there were numerous failed login
>attempts on the SSH port (all from the same IP), but my logs didn't show any
>signs of an intrusion.
>However, I suspect that I've been hacked.
>
Well, /if/ someone intruded your system, she/he surely would remove all
possible evidence
(unless it's someone *really* stupid).
If your machine was compromised, I suggest, you take it offline *now*
and inspect it
thoroughly. There is a piece of software called "The Coroner's Toolkit"
(TCK) which I
think is made for that.
More easily, you can checksum your system files and compare them with a
clean install.
If you have recent backups, you can use these at well.
If you are afraid a rootkit might have been installed - I don't know if
these exist for FreeBSD,
but I wouldn't be surprised... - you should consider booting from
trusted media and inspecting
the system, since sometimes root kits hide the intruder's files (at
least for systems like Linux
and Solaris, but again, I don't think FreeBSD will be much different in
that regard).
>There was another strange occurence:
>Yesterday my internet connection went down without a particular reason.
>I tested a few other configurations and rebooted multiple times, and after the
>fifth reboot (with the usual settings restored) it suddenly worked again.
>
>
Mmmh. Maybe your provider just had some problem... Who knows?
>Also there were quite a few crashes.
>
>
Unless you have a static IP, it would be quite hard for the intruder to
get in again.
(OTOH, I don't think it would be hard to make a system send a message to
the internet
upon connection)
Also, I suggest to look through your hardware - I had lots of crashes
for some time, till
I replaced my power supply. Now my machine runs like a champ. =)
>In case anyone wants to know, the offending IP was 200.84.78.83.
>
>
If it was a dial-up connection, that doesn't mean anything. Maybe it's
also a machine that's
already compromised.
Before you start wearing a foil-hat, remember that all of the above only
applies if your
system was indeed compromised (how I /love/ that word, it sounds so
serious...).
It is after all still posibble that it's just... I don't know...
something really weird. Sometimes
applications will create such things for no apparent reason (from a
users point of view at
least). Of course, this would be unusual, but not impossible.
Still, if you have security-concerns, I suggest you take the box offline
and examine it.
As a side-effect, this is probably very interesting.
I wish you good luck (and that your system be still intact)!
Kind regards,
Benjamin
More information about the freebsd-questions
mailing list