on Sat, Jan 20, 2001 at 07:20:52PM +0100, Igor Mozetic (igor.mozetic@uni-mb.si) wrote: > I've noticed three strange files in /root dir: > > host:~# ls -al /root > -rw-r--r-- 1 root root 1024 Jan 5 11:20 ..hwm > -rw-r--r-- 1 root root 214184 Jan 5 11:20 ..pwd > -rw-r--r-- 1 root root 11356 Jan 5 11:20 ..pwi > > ..pwd is ascii with a lot of control chars in it, the other > two are binaries. Is this a side product of running some > program or maybe some break-in leftover? I'd vote for hack. Try searching for these files in a search engine, you'll likely get an idea of what tools these are associated with. At Google, I'm finding crack_mkdict which is a crack password generation file -- what I strongly suspect that '..pwd' is -- commonly used passwords with modifiers. This is associated with: crack_testlib crack_testnum crack_teststr crack_packer ...so, have you been playing with cracklib2 in the recent past? If not, I'd suggest rebooting immediately to known good media. The LinuxCare BBC (ISO available: http://open-projects.linuxcare.com/BBC/) is highly excellent, full-featured, and Debian-based. You'll want to snoop around /root, /bin, /sbin, and a few other areas looking for odd files (timestamps may or may not help). If you can't get the BBC, try Tom's RootBoot (http://www.toms.net/rb) is another good option, though it's foundations on the 2.0.37 kernel may not allow access to modern ext2fs filesystems. I'd try to get a copy of sash, the stand-alone-shell, which is statically linked and has copies of many useful utilities, for snooping around -- your system is now suspect. Note in particular that ls, ps, top, and a few other standard utilities are very typically replaced with variants which won't reveal the crack tools. You can get around this by using the poor man's versions: echo * .* # Will list all files matching the wildcard # pattern echo /proc/[0-9]* # Will list all processes currently running on # the system. Note any discrepencies between # this output and 'ps'. Note that if you do find a mysterious process, you can STOP it (rather than kill it) to examine the state of the process. You may also want to look at netstat and lsof output to see if there are any mysterious things going on. Doing this from a relatively quiescent system is likely to be helpful. Best thing to do is to get a known good copy of Debian MD5 checksums and run the md5sums package to verify your system. Verify *all* inconsistancies. Note that you'll still have to find unaccounted-for binaries. Then, you're likely going to want to reinstall your system partitions, after wiping out the current directories thoroughly. Save your local information. Time to read up on forensics and intrusion recovery. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpcok5zgir6G.pgp
Description: PGP signature