Re: suspicious files in /tmp

[Rick Moen <rick@linuxmafia.com>]

Quoting Marcel Weber (mmweber@ncpro.com):

> But what made me shudder was this: In the /tmp folder I found these files:
> 
> drwx------   2 root     root           48 Aug 10 19:36 Ib2KZi
> drwx------   2 root     root           88 Jan  3 06:12 MF2oMw
> drwx------   2 root     root           48 Aug 11 16:32 S0oNze
> srwxr-x---   1 root     root            0 Aug 10 20:32 fileCOpZW0
> -rw-r--r--   1 root     root           11 Aug 10 20:10 fileXVutPe
> drwx------   2 root     root           48 Aug 10 19:37 nYBXvZ
> 
> And in the /tmp/MF20Mw folder this one (I attached it to the posting):
> 
> -rw-------   1 root     root         8192 Aug 10 19:33 L8823-7955TMP.txt.gz
> 
> Is this a left over from an attempt to hack my system? 

Highly unlikely.  Attackers know that /tmp isn't an out-of-the-way
place.  Admins and other users look there all the time.  Intruders tend
to hide things away in places like boring-sounding subdirectories of /dev .

Speaking of that:  I'll bet that, if you looked around in /tmp more
often, you'd see lots of tempoary files and directories like that, from
time to time -- especially after installing and building software.

> How can I check what happened and if the attacker succeeded? 

Read the advisories from your well-tuned IDS.  ;->
http://linuxgazette.net/issue98/moen.html

-- 
Cheers,        "A raccoon tangled with a 23,000 volt line, today.  The results
Rick Moen       blacked out 1400 homes and, of course, one raccoon."
rick@linuxmafia.com                                  -- Steel City News