Re: strange files, break-in?
On Sat, Jan 20, 2001 at 07:20:52PM +0100, Igor Mozetic wrote:
:I've noticed three strange files in /root dir:
:
:host:~# ls -al /root
:-rw-r--r-- 1 root root 1024 Jan 5 11:20 ..hwm
:-rw-r--r-- 1 root root 214184 Jan 5 11:20 ..pwd
:-rw-r--r-- 1 root root 11356 Jan 5 11:20 ..pwi
:
:..pwd is ascii with a lot of control chars in it, the other
:two are binaries. Is this a side product of running some
:program or maybe some break-in leftover?
I vote for break-in I can think of no legitimate programs that create
double dot files (did sombody thik this would make them harder to
see???)
a couple of things to do:
run "strings" on the binary files, some times you can figure out what
they are this way.
do a "netstat -tap|less" as root this will show all(-a) active tcp(-t)
connections and listening sockes and the processes (-p) that own them
do a "find /dev -type f" this will find any regular files in /dev,
there shouldn't be any they're all device special files (except the
MAKEDEV script which may be a regular file but on current debian
systems is a symlink to /sbin/MAKEDEV and not a regular file)
look at /etc/inetd.conf some backdoors are put in this file (usually
at the end)
It would be best to copy over known good versions of find and netstat
as these may be trojaned (find usally isn't netstat often is)
-Jon
Reply to: