Re: Security Breach: A zero byte file created in my home directory

[Vincent Lefevre <vincent@vinc17.org>]

On 2007-05-15 11:35:03 +0530, Deboo ^ wrote:
> I saw today that there's a zero byte file in my hoem dir with the name
> "Brendan" created yesterday but I couldn't search whp created it or
> what was the command that created it etc from any  log files.

Are you sure you haven't written something containing "> Brendan" in
a terminal (e.g. by pasting a selection by mistake, this sometimes
happens to me, and I get 0-byte file creation because of that)?

You can look at the history file of your shell, e.g. .bash_history if
it is bash.

> I did not have a firewall yet.

That's not very useful under Linux, unless you installed some unsecure
software or did something wrong with servers.

> I am testing postfix on and off but don't keep it onlien for more
> than a few minutes everytime I test.

Or could this come from one of your tests?

> Can somone have used that to login to my system?

I'd say that such file creation are often user mistakes.

> And JUST now as I am posting this, that file is GONE. I did not delete
> it.

That's strange.

> Even with the firewall, someone is in my computer?

If someone entered your computer before you installed the firewall,
this could be too late (he could have installed a rootkit, that
bypasses the firefall). You can try chkrootkit to see if a rootkit
was installed.

Another possibility is that you have run some program that did this
file creation and deletion.

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)