On Sun, Apr 08, 2007 at 03:44:33PM -0700, Kamaraju Kusumanchi wrote: > Hi all > > Can someone throw some light on as to what does /var/tmp/fast-mech.tgz and > /var/tmp/raw directories do? > > My system (Debian Etch) has been recently compromised and I deleted most of > the suspicious files. However I am not sure about these. Is it safe to delete > them or do you think some process expects them to be there? > > According to FHS 2.3, files in /var/tmp are preserved across reboots and > applications might expect some temp files there. Other than that, I could not > find any other info on fast-mech.tgz file and on /var/tmp/raw directory... > > > $ls -al fast-mech.tgz raw > -rw-r--r-- 1 rajulocal rajulocal 165248 2007-02-04 20:51 fast-mech.tgz > > raw: > total 1348 > drwxr-xr-x 2 rajulocal rajulocal 4096 2007-01-24 02:34 ./ > drwxrwxrwt 6 root root 4096 2007-04-08 18:26 ../ > -rw-r--r-- 1 rajulocal rajulocal 273 2007-01-24 02:30 1 > -rw-r--r-- 1 rajulocal rajulocal 316 2007-01-24 02:30 2 > -rw-r--r-- 1 rajulocal rajulocal 316 2007-01-24 02:31 3 > -rw-r--r-- 1 rajulocal rajulocal 39415 2007-02-28 19:03 Chio.seen > -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 httpd > -rw-r--r-- 1 rajulocal rajulocal 35268 2007-02-28 19:03 New.seen > -rw-r--r-- 1 rajulocal rajulocal 1043 2007-02-28 19:03 raw.levels > -rw------- 1 rajulocal rajulocal 6 2006-12-29 04:44 raw.pid > -rw-r--r-- 1 rajulocal rajulocal 1043 2007-02-28 19:03 raw.session > -rw-r--r-- 1 rajulocal rajulocal 1091 2007-01-24 02:34 raw.set > -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 sshd > -rw-r--r-- 1 rajulocal rajulocal 35861 2007-02-28 19:03 VaLy.seen > > $tar tzvf fast-mech.tgz > drwxr-xr-x piotr/piotr 0 2007-01-24 02:34 raw/ > -rw-r--r-- piotr/piotr 273 2007-01-24 02:30 raw/1 > -rw-r--r-- piotr/piotr 316 2007-01-24 02:30 raw/2 > -rw-r--r-- piotr/piotr 316 2007-01-24 02:31 raw/3 > -rw------- piotr/piotr 6 2006-12-29 04:44 raw/raw.pid > -rw-r--r-- piotr/piotr 1091 2007-01-24 02:34 raw/raw.set > -rwxr-xr-x piotr/piotr 608374 2005-05-27 15:40 raw/httpd > > > Any help is greatly appreciated. > > raju > Looks like someone has put in an extra web-server for you and an sshd to control it with. Isn't that kind :)
If you wish to pass the machine on to law enforcement or your university sysadmins for forensic type investigation, do so now and don't touch anything else. You may also want to look at Helix and Auditor (two security-oriented Knoppix type releases for security and forensics on Live CD). Otherwise: nuke it from orbit. Boot from a copy of knoppix or the Ubuntu live CD. Use tar to archive anything you really need and scp to copy it off the infected machine. [Booting from a live CD means that you shouldn't be using possibly infected binaries on the machine hard disk itself.] Use Darik's Boot and Nuke to wipe the disk as thoroughly as you can. Then re-install with Etch and clean media. HTH, Andy > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
