crack traces in /var ?
Hi all,
Google didn't yield anything specific, so does anyone know what sort of
crack my desktop machine (NAT behind an up to date woody stable iptables
firewall) seems to have suffered? Symptoms are
a dir named /var/bobsdata, containing "admin.pwd" with a string like
$1$WmspYkT9$POV... and subdirs current/process, containing "cmdloop" and
"check_loop". I also found a crontab entry
0-59/5 * * * * root /var/bobsdata/current/process/check_loop
My firewall sometimes displays packets to ports that are used by trin00
and subseven with a DST address of my internal network.
chkrootkit reported nothing unusual.
Tiger gives me about 30 messages about standard binaries such as
--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
(-rwsr-xr-x) matched the /usr/bin/passwd on this machine.
>>>>>> Linux 2.0.35
Therefore I cleaned the deb cache, did an apt-get install --reinstall of
all mentioned packages and still am getting this set of warnings.
Considering earlier experiences with tiger I wonder if this is a
Debian-specific tiger problem and a false positive just as the
complaints about
--FAIL-- [pass009e] Login daemon has a user id of 1.
--FAIL-- [pass009e] Login daemon has a group id of 1.
(Debian default, no?)
and a trace of Hylafax:
--FAIL-- [pass009e] Login faxmaster has more than 8 characters.
--FAIL-- [pass009e] Group faxmaster has more than 8 characters.
Would you think with deleting the /var/bobsdata dir, the crontab entry
and my --reinstall I have stopped being a DDoS client and can skip a new
install of my machine? Any ideas appreciated...
Andreas
Reply to: