Hi Mary, I have run chkrootkit over the machines - nothing has shown up there. Although that may not find everything. The /tmp/CGI_Cache dir is world writable, but the other directories we found this happening were not.
I've had a look for other suspicious activity (like network traffic, ports etc) and haven't found anything yet. They might be doing it very subtly however, and just doing it to affect thos files. Most of my experience with hackers is that they use the box as a ping flood host or similar. What I will do is dump the contents of the filesystem into a dump file, copy this to another, non-networked non-production machine, and restore it to a clean partition and see if the system 'ls' shows the files. Thanks Mary Gardiner [EMAIL PROTECTED] wrote: > On Mon, Jul 12, 2004, [EMAIL PROTECTED] wrote: > > We have an unusual problem with files that are invisible (sort of) to > > 'ls' and other programs. This shows up when using the standard > > versions of these programs that are shipped with Debian 'Woody' (up to > > date via security.debian.org). However, the files are visible when > > using statically linked versions of 'ls' such as that shipped with > > some ftp servers. > ... > > ... I realise that a bug in glibc is pretty unlikely, but I'm not > > really sure what else could be doing it and welcome further > > troubleshooting suggestions. > > I'm not at all skilled in security/forensics, but "files that don't show > up in ls" and "processes that don't show up in ps" are often a symptom > of a compromised machine. The attacker, having gained successful access > to a machine, will install programs either to allow them continued > access to the machine, or to control the machine. They will then > sometimes modify system files and binaries so that it is not easy to find > these files and processes. > > There may be some obvious reason why this can't be the case (as I said, > I don't know much about it), but it does seem like an option you haven't > considered. > > In particular, the fact that problematic files are showing up in a > directory named /tmp/CGI_Cache sounds suspicious to me -- /tmp is world > writable and would therefore be a good candidate for installing rogue > programs assuming you can stop them being purged on reboot. > > Hopefully others have good resources on checking and diagnosing a > compromised machine. The standard fix is: first find out how they got > in, and then reinstall the machine without that hole. However, keep in > mind that if you want to find out how an attacker got in, or to pursue > them, you will need to keep the evidence (hard drives) untouched, so > don't be too keen to wipe a possibly compromised machine. > > Unless there's an obvious reason I'm missing not to suspect compromise, > you should be thinking about pulling those machines offline ASAP and > finding out exactly what's in these invisible files. > > -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
