I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today
I was doing some maintenance and I found my way to /etc/rc.local. When I
opened it I saw this:
$ cat rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
I don't remember adding those lines to my rc.local file.
$ cd /etc && ls -al ./sfewfesfs
-rwsrwsrwt 1 root wheel 694680 Apr 4 07:47 /etc/sfewfesfs
$ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version
1, statically linked, stripped
Seems odd to have a bunch of randomly named executibles running at boot.
And that they are compiled for 386 (I'm running amd64), and that they have
suid set, and to root.
$ clamscan *
dsfrefr: OK
ferwfrre: OK
gfhddsfew: OK
gfhjrtfyhuf: OK
rc.local: OK
rewgtf3er4t: OK
sdmfdsfhjfe: OK
sfewfesfs: OK
Scanned directories: 0
Scanned files: 8
Infected files: 0
Data scanned: 3.21 MB
Data read: 3.20 MB (ratio 1.00:1)
Time: 10.842 sec (0 m 10 s)
Hmm, ok let's run one.
$ ./dsfrefr
./dsfrefr[1]: syntax error: `(' unexpected
That's all any of them say when run.
So...have I been p0wned or does anyone know what innocent thing might be
happening here? Please CC [email protected] on any replies, as I'm not
subscribed to updates from the list.
