| View previous topic :: View next topic |
| Author |
Message |
e2k
n00b
Joined: 30 Jul 2004
Posts: 44
|
 Posted: Sun Apr 10, 2005 8:46 pm Post subject: Big trouble? |
 |
|
I just found something very interesting in my root..
| Code: | -rw-r--r-- 1 root root 0 Dec 3 16:24 &
-rw-r--r-- 1 root root 0 Dec 3 16:24 -
drwxr-xr-x 18 root root 4096 Dec 6 17:15 .
drwxr-xr-x 18 root root 4096 Dec 6 17:15 ..
-rw-r--r-- 1 root root 0 Dec 3 16:24 001.jpg
-rw-r--r-- 1 root root 0 Dec 3 16:24 4
-rw-r--r-- 1 root root 0 Dec 3 16:24 6.2.0137
-rw-r--r-- 1 root root 0 Dec 3 16:24 Account
-rw-r--r-- 1 root root 0 Dec 3 16:24 AntiVirus
-rw-r--r-- 1 root root 0 Dec 3 16:24 bike.bmp
-rw-r--r-- 1 root root 0 Dec 3 16:24 Client
-rw-r--r-- 1 root root 0 Dec 3 16:24 Computer
-rw-r--r-- 1 root root 0 Dec 3 16:24 Data
-rw-r--r-- 1 root root 0 Dec 3 16:24 Database
-rw-r--r-- 1 root root 0 Dec 3 16:24 Demo
-rw-r--r-- 1 root root 0 Dec 3 16:24 Explorer
-rw-r--r-- 1 root root 0 Dec 3 16:24 flower.bmp
-rw-r--r-- 1 root root 0 Dec 3 16:24 Help
-rw-r--r-- 1 root root 0 Dec 3 16:24 Index
-rw-r--r-- 1 root root 0 Dec 3 16:24 Info
-rw-r--r-- 1 root root 0 Dec 3 16:24 Info.sidb
-rw-r--r-- 1 root root 0 Dec 3 16:24 Internet
-rw-r--r-- 1 root root 0 Dec 3 16:24 LaunchLibrary
-rw-r--r-- 1 root root 0 Dec 3 16:24 Licenses
-rw-r--r-- 1 root root 0 Dec 3 16:24 Settings
-rw-r--r-- 1 root root 0 Dec 3 16:24 Systems
-rw-r--r-- 1 root root 0 Dec 3 16:24 tree.bmp
-rw-r--r-- 1 root root 0 Dec 3 16:24 Underground
among others, cutted out these as a examples.. |
Now what might this be? Getting a bit worried, has someone been on my computer? I don't tend to keep ssh on.. I'm sure I haven't made those myself 
Thoughts?
(Thought this might be a security related thing  , hence the placement) |
|
| Back to top |
|
 |
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Sun Apr 10, 2005 9:07 pm Post subject: |
|
|
¿¿  ??
Strange thing, overall counting that all of them has exactly the same creation date. There is nothing to worry about the files that the figure shows, but you should look if any file created that same date on your system (not just / directory only) has the x permissions set on. If so you should put that file(s) in quarantine, untill you are sure that holds nothing related to an exploit, backdoor or trojan.
That files were put there by someone, if not you. Portage did not do it for sure, so something is happening. Has someone else access to that machine? |
|
| Back to top |
|
|
e2k
n00b
Joined: 30 Jul 2004
Posts: 44
|
| Posted: Sun Apr 10, 2005 9:15 pm Post subject: |
|
|
| 6thpink wrote: | | Has someone else access to that machine? |
Not that I know of. I've only used ssh a couple times myself
How could I use find to locate all files created on Dec 3? |
|
| Back to top |
|
|
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Sun Apr 10, 2005 11:00 pm Post subject: |
|
|
You can do with kfind, i think (not sure, I dont use it).
You can also do a hard search, by
| Code: | cd /
ls -lR | grep 'Dec 3'
|
Make sure that the number of spaces between the Dec and the 3 are the same that your ls shows. |
|
| Back to top |
|
|
e2k
n00b
Joined: 30 Jul 2004
Posts: 44
|
| Posted: Mon Apr 11, 2005 10:28 am Post subject: |
|
|
I checked it, but not sure if I found anything suspicious
Apparently I installed my gentoo on Dec 3, or were just very active, cause I found quite a lot 
If anyone knows any potential hazardous filenames, you can check the ls -lR | grep 'Dec 3' here..
Thanks 6thpink for your assistance.. Maybe I don't have to reinstall my whole system (or maybe I should, just to be on the safe side  )
EDIT: I ran rkhunter and chkrootkit, and neither of them found anything suspicious.. Can this be trusted? Anyother apps like this? |
|
| Back to top |
|
|
rex123
Apprentice
Joined: 21 Apr 2004
Posts: 272
|
| Posted: Mon Apr 11, 2005 2:52 pm Post subject: |
|
|
I'd guess the most likely thing is that you made some command-line error as root. I don't know exactly what is inside a stage 3 tarball, but it looks like you've untarred one on Dec 3, and quite possibly done some other things at the same time by accident.
This is a case of least weird explanation, rather than anything like a certainty. |
|
| Back to top |
|
|
e2k
n00b
Joined: 30 Jul 2004
Posts: 44
|
| Posted: Mon Apr 11, 2005 4:49 pm Post subject: |
|
|
| rex123 wrote: | I'd guess the most likely thing is that you made some command-line error as root. I don't know exactly what is inside a stage 3 tarball, but it looks like you've untarred one on Dec 3, and quite possibly done some other things at the same time by accident.
This is a case of least weird explanation, rather than anything like a certainty. |
Yup, I tought of that too, that I would have extracted some weird package or something.. But why were all the files 0 bytes? |
|
| Back to top |
|
|
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Mon Apr 11, 2005 6:37 pm Post subject: |
|
|
I thought of that also. The strange things is, as you say, that all files are 0 bytes lenght, but that can be caused by losts of issues, for example, a hard lockup or a manual reset when untarring a file, its not a frequent thing but it can happen with relative frequency.
In fact, the point that all files are zero and none has x persimission suggests that there is no reason to think that this could be a remote atack. |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Mon Apr 11, 2005 7:38 pm Post subject: |
|
|
the . and .. are supposed to be there...
the rest though...try moving them to another directory and see if they reappear (trace when too and what you were doing at the time) 
_________________
while(true) {self.input(sugar);}  |
|
| Back to top |
|
|
|
Networking & Security
