Strange file appeared in my home directory

[Daniela]

On Thursday 28 October 2004 19:35, Benjamin Walkenhorst wrote:
> Hello,
>
> Daniela wrote:
> >I noticed a file called "regs" in my home directory (which is 21 megs in
> > size) and I have no clue where it comes from. The file format is not
> > recognized by any of the common tools. The creation date was about four
> > days ago, so if I created it, I would have remembered.
> >I looked at the file with the hexeditor and it seems to consist of lots of
> >four-byte values which look like addresses on the stack of an application.
>
> I've never heard of such a thing happening...
>
> >About half an hour before the creation date there were numerous failed
> > login attempts on the SSH port (all from the same IP), but my logs didn't
> > show any signs of an intrusion.
> >However, I suspect that I've been hacked.
>
> Well, /if/ someone intruded your system, she/he surely would remove all
> possible evidence
> (unless it's someone *really* stupid).

It's perfectly possible to forget a file. Maybe the intruder saw me logging in 
and was too busy with deleting the logfiles before I notice it.

> If your machine was compromised, I suggest, you take it offline *now*
> and inspect it
> thoroughly. There is a piece of software called "The Coroner's Toolkit"
> (TCK) which I
> think is made for that.

I quickly checked my system with the native FreeBSD tool "chkrootkit". It 
showed the following files as infected: ps, ls, date, chsh and chfn.
Now I'm really scared. However, I heard that this tool has a bug which gives 
false alarm for five files, but I don't know if I have a buggy version.

> More easily, you can checksum your system files and compare them with a
> clean install.
> If you have recent backups, you can use these at well.

That's not so easy for me, because I'm tracking -STABLE and have debug symbols 
everywhere. I do have backups, but currently I don't have the time for that. 
Moreover, I planned to reformat anyway as soon as 5.3 is out.

> If you are afraid a rootkit might have been installed - I don't know if
> these exist for FreeBSD,
> but I wouldn't be surprised... - you should consider booting from
> trusted media and inspecting
> the system, since sometimes root kits hide the intruder's files (at
> least for systems like Linux
> and Solaris, but again, I don't think FreeBSD will be much different in
> that regard).
>
> >There was another strange occurence:
> >Yesterday my internet connection went down without a particular reason.
> >I tested a few other configurations and rebooted multiple times, and after
> > the fifth reboot (with the usual settings restored) it suddenly worked
> > again.
>
> Mmmh. Maybe your provider just had some problem... Who knows?

Unlikely, because other people with the same ISP didn't have problems.

> >Also there were quite a few crashes.
>
> Unless you have a static IP, it would be quite hard for the intruder to
> get in again.
> (OTOH, I don't think it would be hard to make a system send a message to
> the internet
> upon connection)

Of course I have a static IP, I'm running an SSH server.

[...]

> It is after all still posibble that it's just... I don't know...
> something really weird. Sometimes
> applications will create such things for no apparent reason (from a
> users point of view at
> least). Of course, this would be unusual, but not impossible.

I don't think this is the reason. On the creation day I didn't run any 
programs other than the ones I already know, and no one except me has root 
(hopefully this is still the case).

> Still, if you have security-concerns, I suggest you take the box offline
> and examine it.
> As a side-effect, this is probably very interesting.

Thanks for your reply!