I came across something odd this morning on a Sarge production server I
manage remotely. The machine runs a self-compiled 188.8.131.52 kernel and I
keep it up to date with security fixes. (I run upgrades and
dist-upgrades when I get email from debian-security-announce).
The box is an HP/Compaq somethingorother server with the following
0000:04:03.0 RAID bus controller: Compaq Computer Corporation Smart
Array 64xx (rev 01). The filesystem is ext3 on 2x160GB hardware RAID1.
The box has 3 GB ECC RAM. None of the hardware reports any failure of
The weird this is that there are six files in / that should not be
there. 'ls -l' gives me:
-rw-rw-rw- 1 root root 0 2005-08-17 23:08 ?
-rw-rw-rw- 1 root root 0 2005-08-18 23:08 ?
-rw-rw-rw- 1 root root 0 2005-09-06 23:13 ?
-rw-rw-rw- 1 root root 0 2005-08-17 23:08 ???
-rw-rw-rw- 1 root root 0 2005-08-18 23:08 ???
-rw-rw-rw- 1 root root 0 2005-09-06 23:13 ???
I wrote a little C app that runs readdir() on / and gives me all the
filenames as strings and a char cast into int. With an utf8 console I
get the filenames as a series of squares now, but what I find more
interesting is that when I print off the integer values of each of the
chars in the filenames, I get this:
dir='/', file='', char = -10,-73,-128
dir='/', file='?', char = -10,-73,-80,-110,25,8
dir='/', file='', char = -14,-73,-128
dir='/', file='', char = -14,-73,-80,-110,25,8
dir='/', file='', char = -16,-73,-128
dir='/', file='', char = -16,-73,-80,-110,25,8
... negative numbers? (The strings won't paste properly).
I've forced fsck, which doesn't find anything out of the ordinary. I've
run chkrootkit, which finds nothing. I've checked the logs, which list a
few childish attempts at burglary via proftpd, but not anything I'm
going to lsoe sleep over, and nothing else of interest. I'm not saying
the box hasn't been compromised, but if it has, I'd like to find out HOW
before I do anything else.
I've just tried to create a file with the characters -10, -72, -80,
-110, 25, 8 as filename, and got a completely different result.
Does anyone have any suggestion as to what may be going on? I'm pretty
much at a loss.