Strange file appeared in my home directory
dgw at liwest.at
Fri Oct 29 14:13:06 PDT 2004
On Thursday 28 October 2004 19:44, Miguel Mendez wrote:
> On Thu, 28 Oct 2004 21:13:34 +0000
> Daniela <dgw at liwest.at> wrote:
> > I noticed a file called "regs" in my home directory (which is 21 megs
> > in size) and I have no clue where it comes from. The file format is
> > not recognized by any of the common tools. The creation date was about
> > four days ago, so if I created it, I would have remembered.
> I've never seen such file, my guess is that anyone breaking into someone
> else's computer would hide his stuff, but you never know. Google didn't
> turn any useful hit either. With this and the rest of your post I have
> reasons to believe that you haven't been broken into. However, if you're
> suspicious you could back up the 'evidence', in this case the regs file
> and other unsual stuff you might find, wipe the system out and reinstall
> and restore date from a good backup.
> > I looked at the file with the hexeditor and it seems to consist of
> > lots of four-byte values which look like addresses on the stack of an
> > application.
> What do those values look like?
AFAIK the stack normally begins at (little endian) 0x40FCBFBF, and the file is
full of values that are just a bit less than that, and there are also many
values that are small enough to be indexes to arrays. There are no printable
ASCII strings in it, and the whole file seems to be aligned on a 4-byte
> > However, I suspect that I've been hacked. There was another strange
> > occurence: Yesterday my internet connection went down without a
> > particular reason. I tested a few other configurations and rebooted
> > multiple times, and after the fifth reboot (with the usual settings
> > restored) it suddenly worked again. There seem to be no unusual
> > processes running, but when I'm hacked, I can't trust the tools on my
> > system any more. Also there were quite a few crashes.
> Do you run any services on that box besides ssh?
> Apache/Sendmail/Whathaveyou? Anything unusual in the logs?
I have numerous services active within my LAN, but none except SSH is
reachable from outside. I regularly verify this by portscanning my machine
from somewhere else. My local users can be trusted.
> > Has anyone seen this file too?
> > In case anyone wants to know, the offending IP was 22.214.171.124.
> That IP resolves to 200-84-78-83.genericrev.cantv.net, either a
> compromised Windows box or a script-kiddiot computer, too lazy to nmap
> it now :)
I already tried to do a portscan, but the box either has a good firewall, or
it is always offline.
Thanks for your reply!
More information about the freebsd-questions