Re: suspicious files in /tmp
Incoming from Rick Moen:
> Quoting Marcel Weber (mmweber@ncpro.com):
>
> > But what made me shudder was this: In the /tmp folder I found these files:
> >
> > drwx------ 2 root root 48 Aug 10 19:36 Ib2KZi
> > drwx------ 2 root root 88 Jan 3 06:12 MF2oMw
> > drwx------ 2 root root 48 Aug 11 16:32 S0oNze
> >
> > Is this a left over from an attempt to hack my system?
>
> Highly unlikely. Attackers know that /tmp isn't an out-of-the-way
> place. Admins and other users look there all the time. Intruders tend
> to hide things away in places like boring-sounding subdirectories of /dev .
>
> > How can I check what happened and if the attacker succeeded?
>
> Read the advisories from your well-tuned IDS. ;->
> http://linuxgazette.net/issue98/moen.html
Install chkrootkit (www.chkrootkit.org) and run it regularly (from
cron). It's very easy to use, and chkrootkit-users is a very low
volume, high S/N ratio list.
BTW:
(0) keeling /home/keeling/dox_ all `which netstat` `which env`
-rwxr-xr-x 1 root root 86892 Nov 23 2001 /bin/netstat*
-rwxr-xr-x 1 root root 10332 Jul 26 2001 /usr/bin/env*
1 Mb is *way* out of line!
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: