Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

A process owned by root looking for .*history files
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ferg
Guru
Guru


Joined: 15 Nov 2002
Posts: 540
Location: Cambridge, UK
PostPosted: Wed Oct 02, 2024 7:11 pm    Post subject: A process owned by root looking for .*history files Reply with quote
I just noticed a process yesterday searching across my filesystem for *.history files. I noticed it as I plugged in a USB drive (from a Time machine backup on OS X) and after afew minutes tried to umount it without any luck as a process was locking it.

When I looked this process was running:

Code:
root     22815 22325  9 Oct01 ?        01:13:34 /usr/bin/find // ! -fstype nfs -name .*history -size 0


I immediately killed the process and then regretted it as I have no idea what was running it.

Today I noticed the same process running. I assume this is some hack attempt looking through user's history files to glean some useful information.

I pulled the ethernet cable as soon as I saw this process, but could now do with some assistance in identifying where it comes from. I looked through all cron folders and logs and there's nothing. But there again I do not really know what I'm looking for!

This box (running a daily updated Gentoo) has SSH open to my LAN although no root login. The only user has only key logins enabled. Also no ports are forwarded. It does have tailscale installed and running.
Thanks!
_________________
Climb up it, kayak down it + make sure it runs on GNU/Linux
"cease to exist, giving my goodbye, drive my car into the ocean,
you think I'm dead, but i sail away, on a wave of mutilation!"
Back to top
View user's profile Send private message
ferg
Guru
Guru


Joined: 15 Nov 2002
Posts: 540
Location: Cambridge, UK
PostPosted: Wed Oct 02, 2024 8:33 pm    Post subject: Reply with quote
Ahhh. I'm a bit daft aren't I!

I missed the "-size 0" from that process. I just thought it was some process that was looking for history files.

However, it's more likely to be something looking for empty history files. Which would be evidence that somebody has hacked a box and tried to hide their steps. Does Chkrootkit do something like this? I wonder why I've never noticed this before.
_________________
Climb up it, kayak down it + make sure it runs on GNU/Linux
"cease to exist, giving my goodbye, drive my car into the ocean,
you think I'm dead, but i sail away, on a wave of mutilation!"
Back to top
View user's profile Send private message
flexibeast
Guru
Guru


Joined: 04 Apr 2022
Posts: 454
Location: Naarm/Melbourne, Australia
PostPosted: Thu Oct 03, 2024 12:58 am    Post subject: Reply with quote
Assuming "22815 22325" are the PID and Parent PID (PPID) of the process, what's the process whose PID is the referenced PPID?
Back to top
View user's profile Send private message
ferg
Guru
Guru


Joined: 15 Nov 2002
Posts: 540
Location: Cambridge, UK
PostPosted: Thu Oct 03, 2024 7:31 am    Post subject: Reply with quote
flexibeast wrote:
Assuming "22815 22325" are the PID and Parent PID (PPID) of the process, what's the process whose PID is the referenced PPID?

Well that makes me look even sillier! The parent process was cronie. ...and chkrootkit is set to run daily via cronie.....!
_________________
Climb up it, kayak down it + make sure it runs on GNU/Linux
"cease to exist, giving my goodbye, drive my car into the ocean,
you think I'm dead, but i sail away, on a wave of mutilation!"
Back to top
View user's profile Send private message
Ralphred
l33t
l33t


Joined: 31 Dec 2013
Posts: 654
PostPosted: Thu Oct 03, 2024 12:50 pm    Post subject: Reply with quote
ferg wrote:
Well that makes me look even sillier! The parent process was cronie. ...and chkrootkit is set to run daily via cronie.....!

Hey, I've had my job described as "a paid professional paranoid", you did good work IMHO - you found the cause of a potentially disquieting observation.
Back to top
View user's profile Send private message
ferg
Guru
Guru


Joined: 15 Nov 2002
Posts: 540
Location: Cambridge, UK
PostPosted: Thu Oct 03, 2024 4:04 pm    Post subject: Reply with quote
Cheers! A healthy amount of paranoia is always useful.
_________________
Climb up it, kayak down it + make sure it runs on GNU/Linux
"cease to exist, giving my goodbye, drive my car into the ocean,
you think I'm dead, but i sail away, on a wave of mutilation!"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy