HiIt isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this.
I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. Both of these files were quite big (215 kB and 1 MB), but they had the correct date, etc and I checked them against an older backup I made before "attaching" the box to the internet and they look the same. I thought that these files were probably still statically linked (something that dates back the setup of the LFS box...)
But what made me shudder was this: In the /tmp folder I found these files: drwx------ 2 root root 48 Aug 10 19:36 Ib2KZi drwx------ 2 root root 88 Jan 3 06:12 MF2oMw drwx------ 2 root root 48 Aug 11 16:32 S0oNze srwxr-x--- 1 root root 0 Aug 10 20:32 fileCOpZW0 -rw-r--r-- 1 root root 11 Aug 10 20:10 fileXVutPe drwx------ 2 root root 48 Aug 10 19:37 nYBXvZ And in the /tmp/MF20Mw folder this one (I attached it to the posting): -rw------- 1 root root 8192 Aug 10 19:33 L8823-7955TMP.txt.gzIs this a left over from an attempt to hack my system? How can I check what happened and if the attacker succeeded? The bad thing is, there are no log files left from august. Has anybody a clue what this L8823-7955TMP.txt.gz file could be?
Regards Marcel
Attachment:
L8823-7955TMP.txt.gz
Description: application/gzip