Possible break-in. Does anybody recognize this?

[platojones]

I just noticed a little script file in my home directory called 'tp'. I don't remember creating this and, in fact, am pretty sure I didn't. Here it is:

#! /bin/sh

SQUIDID="/bin/id -u squid"
PROXYPORT='3128'

iptables -t nat -A OUTPUT -p tcp --dport http -m owner --uid-owner $($SQUIDID) -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport ftp -m owner --uid-owner $($SQUIDID) -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport ftp-data -m owner --uid-owner $($SQUIDID) -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport http -j DNAT --to-destination 127.0.0.1:$PROXYPORT
iptables -t nat -A OUTPUT -p tcp --dport ftp -j DNAT --to-destination 127.0.0.1:$PROXYPORT
iptables -t nat -A OUTPUT -p tcp --dport ftp-data -j DNAT --to-destination 127.0.0.1:$PROXYPORT


Since I don't even have squid installed on this box (it's behind a firewall on my lan), I don't think this could have done much. It was also in my user directory with user permissions and not root. Nevertheless, somebody put it here. It also doesn't have execute perms. I've already checked my firewall box and my lan box and don't see anything unusual. Also ran chkrootkit on both boxes. The file is a week old. I know it's trying to set up a local proxy hole in a firewall for squid, but I'm just curious if anybody has seen this before. I believe my firewall is pretty solid and I can't find any trace of a breakin. But then again, they are hard to spot unless you are looking for them.

[teknomage1]

don't forget to change ALL passwords, cause you never know.

[platojones]

Done. Good reminder technomage1.