Re: Strange file appeared in my home directory
On Thursday 28 October 2004 19:35, Benjamin Walkenhorst wrote: Hello, Daniela wrote: I noticed a file called regs in my home directory (which is 21 megs in size) and I have no clue where it comes from. The file format is not recognized by any of the common tools. The creation date was about four days ago, so if I created it, I would have remembered. I looked at the file with the hexeditor and it seems to consist of lots of four-byte values which look like addresses on the stack of an application. I've never heard of such a thing happening... About half an hour before the creation date there were numerous failed login attempts on the SSH port (all from the same IP), but my logs didn't show any signs of an intrusion. However, I suspect that I've been hacked. Well, /if/ someone intruded your system, she/he surely would remove all possible evidence (unless it's someone *really* stupid). It's perfectly possible to forget a file. Maybe the intruder saw me logging in and was too busy with deleting the logfiles before I notice it. If your machine was compromised, I suggest, you take it offline *now* and inspect it thoroughly. There is a piece of software called The Coroner's Toolkit (TCK) which I think is made for that. I quickly checked my system with the native FreeBSD tool chkrootkit. It showed the following files as infected: ps, ls, date, chsh and chfn. Now I'm really scared. However, I heard that this tool has a bug which gives false alarm for five files, but I don't know if I have a buggy version. More easily, you can checksum your system files and compare them with a clean install. If you have recent backups, you can use these at well. That's not so easy for me, because I'm tracking -STABLE and have debug symbols everywhere. I do have backups, but currently I don't have the time for that. Moreover, I planned to reformat anyway as soon as 5.3 is out. If you are afraid a rootkit might have been installed - I don't know if these exist for FreeBSD, but I wouldn't be surprised... - you should consider booting from trusted media and inspecting the system, since sometimes root kits hide the intruder's files (at least for systems like Linux and Solaris, but again, I don't think FreeBSD will be much different in that regard). There was another strange occurence: Yesterday my internet connection went down without a particular reason. I tested a few other configurations and rebooted multiple times, and after the fifth reboot (with the usual settings restored) it suddenly worked again. Mmmh. Maybe your provider just had some problem... Who knows? Unlikely, because other people with the same ISP didn't have problems. Also there were quite a few crashes. Unless you have a static IP, it would be quite hard for the intruder to get in again. (OTOH, I don't think it would be hard to make a system send a message to the internet upon connection) Of course I have a static IP, I'm running an SSH server. [...] It is after all still posibble that it's just... I don't know... something really weird. Sometimes applications will create such things for no apparent reason (from a users point of view at least). Of course, this would be unusual, but not impossible. I don't think this is the reason. On the creation day I didn't run any programs other than the ones I already know, and no one except me has root (hopefully this is still the case). Still, if you have security-concerns, I suggest you take the box offline and examine it. As a side-effect, this is probably very interesting. Thanks for your reply! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange file appeared in my home directory
On Fri, Oct 29, 2004 at 10:51:40PM +, Daniela wrote: [...] I quickly checked my system with the native FreeBSD tool chkrootkit. It showed the following files as infected: ps, ls, date, chsh and chfn. Now I'm really scared. However, I heard that this tool has a bug which gives false alarm for five files, but I don't know if I have a buggy version. FreeBSD doesn't come with chrootkit. The one in the ports reports so many false positives that it is practically useless. I wouldn't depend on it to make any decision. Having said this, if you're worried about system tampering, all you really need to do is to grab an installation CD; backup /etc, and reinstall the kernel, libraries and binaries, restore /etc and you're away. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- Irrationality is the square root of all evil - Douglas Hofstadter ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange file appeared in my home directory
On Thursday 28 October 2004 19:44, Miguel Mendez wrote: On Thu, 28 Oct 2004 21:13:34 + Daniela [EMAIL PROTECTED] wrote: Hi, I noticed a file called regs in my home directory (which is 21 megs in size) and I have no clue where it comes from. The file format is not recognized by any of the common tools. The creation date was about four days ago, so if I created it, I would have remembered. I've never seen such file, my guess is that anyone breaking into someone else's computer would hide his stuff, but you never know. Google didn't turn any useful hit either. With this and the rest of your post I have reasons to believe that you haven't been broken into. However, if you're suspicious you could back up the 'evidence', in this case the regs file and other unsual stuff you might find, wipe the system out and reinstall and restore date from a good backup. I looked at the file with the hexeditor and it seems to consist of lots of four-byte values which look like addresses on the stack of an application. What do those values look like? AFAIK the stack normally begins at (little endian) 0x40FCBFBF, and the file is full of values that are just a bit less than that, and there are also many values that are small enough to be indexes to arrays. There are no printable ASCII strings in it, and the whole file seems to be aligned on a 4-byte boundary. [...] However, I suspect that I've been hacked. There was another strange occurence: Yesterday my internet connection went down without a particular reason. I tested a few other configurations and rebooted multiple times, and after the fifth reboot (with the usual settings restored) it suddenly worked again. There seem to be no unusual processes running, but when I'm hacked, I can't trust the tools on my system any more. Also there were quite a few crashes. Do you run any services on that box besides ssh? Apache/Sendmail/Whathaveyou? Anything unusual in the logs? I have numerous services active within my LAN, but none except SSH is reachable from outside. I regularly verify this by portscanning my machine from somewhere else. My local users can be trusted. Has anyone seen this file too? In case anyone wants to know, the offending IP was 200.84.78.83. That IP resolves to 200-84-78-83.genericrev.cantv.net, either a compromised Windows box or a script-kiddiot computer, too lazy to nmap it now :) I already tried to do a portscan, but the box either has a good firewall, or it is always offline. Thanks for your reply! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Strange file appeared in my home directory
I noticed a file called regs in my home directory (which is 21 megs in size) and I have no clue where it comes from. The file format is not recognized by any of the common tools. The creation date was about four days ago, so if I created it, I would have remembered. I looked at the file with the hexeditor and it seems to consist of lots of four-byte values which look like addresses on the stack of an application. About half an hour before the creation date there were numerous failed login attempts on the SSH port (all from the same IP), but my logs didn't show any signs of an intrusion. However, I suspect that I've been hacked. There was another strange occurence: Yesterday my internet connection went down without a particular reason. I tested a few other configurations and rebooted multiple times, and after the fifth reboot (with the usual settings restored) it suddenly worked again. There seem to be no unusual processes running, but when I'm hacked, I can't trust the tools on my system any more. Also there were quite a few crashes. Has anyone seen this file too? In case anyone wants to know, the offending IP was 200.84.78.83. Regards, Daniela ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange file appeared in my home directory
Hello, Daniela wrote: I noticed a file called regs in my home directory (which is 21 megs in size) and I have no clue where it comes from. The file format is not recognized by any of the common tools. The creation date was about four days ago, so if I created it, I would have remembered. I looked at the file with the hexeditor and it seems to consist of lots of four-byte values which look like addresses on the stack of an application. I've never heard of such a thing happening... About half an hour before the creation date there were numerous failed login attempts on the SSH port (all from the same IP), but my logs didn't show any signs of an intrusion. However, I suspect that I've been hacked. Well, /if/ someone intruded your system, she/he surely would remove all possible evidence (unless it's someone *really* stupid). If your machine was compromised, I suggest, you take it offline *now* and inspect it thoroughly. There is a piece of software called The Coroner's Toolkit (TCK) which I think is made for that. More easily, you can checksum your system files and compare them with a clean install. If you have recent backups, you can use these at well. If you are afraid a rootkit might have been installed - I don't know if these exist for FreeBSD, but I wouldn't be surprised... - you should consider booting from trusted media and inspecting the system, since sometimes root kits hide the intruder's files (at least for systems like Linux and Solaris, but again, I don't think FreeBSD will be much different in that regard). There was another strange occurence: Yesterday my internet connection went down without a particular reason. I tested a few other configurations and rebooted multiple times, and after the fifth reboot (with the usual settings restored) it suddenly worked again. Mmmh. Maybe your provider just had some problem... Who knows? Also there were quite a few crashes. Unless you have a static IP, it would be quite hard for the intruder to get in again. (OTOH, I don't think it would be hard to make a system send a message to the internet upon connection) Also, I suggest to look through your hardware - I had lots of crashes for some time, till I replaced my power supply. Now my machine runs like a champ. =) In case anyone wants to know, the offending IP was 200.84.78.83. If it was a dial-up connection, that doesn't mean anything. Maybe it's also a machine that's already compromised. Before you start wearing a foil-hat, remember that all of the above only applies if your system was indeed compromised (how I /love/ that word, it sounds so serious...). It is after all still posibble that it's just... I don't know... something really weird. Sometimes applications will create such things for no apparent reason (from a users point of view at least). Of course, this would be unusual, but not impossible. Still, if you have security-concerns, I suggest you take the box offline and examine it. As a side-effect, this is probably very interesting. I wish you good luck (and that your system be still intact)! Kind regards, Benjamin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange file appeared in my home directory
On Thu, 28 Oct 2004 21:13:34 + Daniela [EMAIL PROTECTED] wrote: Hi, I noticed a file called regs in my home directory (which is 21 megs in size) and I have no clue where it comes from. The file format is not recognized by any of the common tools. The creation date was about four days ago, so if I created it, I would have remembered. I've never seen such file, my guess is that anyone breaking into someone else's computer would hide his stuff, but you never know. Google didn't turn any useful hit either. With this and the rest of your post I have reasons to believe that you haven't been broken into. However, if you're suspicious you could back up the 'evidence', in this case the regs file and other unsual stuff you might find, wipe the system out and reinstall and restore date from a good backup. I looked at the file with the hexeditor and it seems to consist of lots of four-byte values which look like addresses on the stack of an application. What do those values look like? About half an hour before the creation date there were numerous failed login attempts on the SSH port (all from the same IP), but my logs didn't show any signs of an intrusion. The ssh scans seem to be common. There's an automated tool out there with a hardcoded weak name/pass list. My suggestion for that is, if you only need ssh access from specific places setup a firewall rule to allow only those IP addresses. However, I suspect that I've been hacked. There was another strange occurence: Yesterday my internet connection went down without a particular reason. I tested a few other configurations and rebooted multiple times, and after the fifth reboot (with the usual settings restored) it suddenly worked again. There seem to be no unusual processes running, but when I'm hacked, I can't trust the tools on my system any more. Also there were quite a few crashes. Do you run any services on that box besides ssh? Apache/Sendmail/Whathaveyou? Anything unusual in the logs? Has anyone seen this file too? In case anyone wants to know, the offending IP was 200.84.78.83. That IP resolves to 200-84-78-83.genericrev.cantv.net, either a compromised Windows box or a script-kiddiot computer, too lazy to nmap it now :) Cheers, -- Miguel Mendez [EMAIL PROTECTED] http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 Note: All HTML mail goes to /dev/null pgpESuTWU7KTW.pgp Description: PGP signature
