Re: Security Breach: A zero byte file created in my home directory

To: debian-user@lists.debian.org
Subject: Re: Security Breach: A zero byte file created in my home directory
From: "Deboo ^" <knowledgeful@gmail.com>
Date: Wed, 16 May 2007 02:54:06 +0530
Message-id: <[🔎] e46817700705151424v48d20a4es19603c2e335747e6@mail.gmail.com>
Reply-to: knowledgeless@gmail.com
In-reply-to: <[🔎] 20070515063927.GQ8428@prunille.vinc17.org>
References: <[🔎] e46817700705142305p50e6c179gea162f6cba1e57fa@mail.gmail.com> <[🔎] 20070515063927.GQ8428@prunille.vinc17.org>

On 5/15/07, Vincent Lefevre <vincent@vinc17.org> wrote:

On 2007-05-15 11:35:03 +0530, Deboo ^ wrote:
> I saw today that there's a zero byte file in my hoem dir with the name
> "Brendan" created yesterday but I couldn't search whp created it or
> what was the command that created it etc from any  log files.

Are you sure you haven't written something containing "> Brendan" in
a terminal (e.g. by pasting a selection by mistake, this sometimes
happens to me, and I get 0-byte file creation because of that)?


Yes  am sure I did not write anything containing "Brendan" and for me
that's kinda new word or grammatically incorrect as far as I can say,
though it could be a name for someone. Brandon should be the word and
I can never make such a typo as far as I can say.

On a trivial basis, I wo't use such filename, I would rather use
non-English names if needed.

You can look at the history file of your shell, e.g. .bash_history if
it is bash.

> I did not have a firewall yet.

That's not very useful under Linux, unless you installed some unsecure
software or did something wrong with servers.

> I am testing postfix on and off but don't keep it onlien for more
> than a few minutes everytime I test.

Or could this come from one of your tests?


Not from a test from me. My mistake that I kept the msot easy password
for a new username just to test smtp auth.

> Can somone have used that to login to my system?

I'd say that such file creation are often user mistakes.

> And JUST now as I am posting this, that file is GONE. I did not delete
> it.

That's strange.


Sorry for this. I was kind of worried so forgot that I saw the file in
the root's home folder and not mine. That file is still there.

> Even with the firewall, someone is in my computer?

If someone entered your computer before you installed the firewall,
this could be too late (he could have installed a rootkit, that
bypasses the firefall). You can try chkrootkit to see if a rootkit
was installed.


I have chrootkit installed since day one. And it didn't mention any such thing.

Another possibility is that you have run some program that did this
file creation and deletion.


No such program as far as I know.


Note the output of the iptables arno-fierwall script, two lines:

May 16 02:49:21 debian kernel: Connection attempt (UNPRIV): IN=ppp0
OUT= MAC= SRC=141.242.x.x DST=MY_IP_ADDRESS  LEN=392 TOS=0x00
PREC=0x00 TTL=51 ID=61472 PROTO=UDP SPT=30349 DPT=1026 LEN=372

May 16 02:50:54 debiansite kernel: Connection attempt (PRIV): IN=eth0
OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:9d:0f:b9:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=1294
PROTO=UDP SPT=68 DPT=67 LEN=308

What kind of connection attempt is this? Isn't the second one a
broadcast packet?

Regards,
Deboo

--
Please don't Cc: me, I'm subscribed to the list.

Reply to:

Follow-Ups:
- Re: Security Breach: A zero byte file created in my home directory
  - From: Vincent Lefevre <vincent@vinc17.org>

References:
- Security Breach: A zero byte file created in my home directory
  - From: "Deboo ^" <knowledgeful@gmail.com>
- Re: Security Breach: A zero byte file created in my home directory
  - From: Vincent Lefevre <vincent@vinc17.org>

Prev by Date: Re: Preventing delayed USB writes
Next by Date: Re: reinstall /etc/cups/cupsd.conf
Previous by thread: Re: Security Breach: A zero byte file created in my home directory
Next by thread: Re: Security Breach: A zero byte file created in my home directory
Index(es):
- Date
- Thread