[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Breach: A zero byte file created in my home directory



On 2007-05-16 02:54:06 +0530, Deboo ^ wrote:
> On 5/15/07, Vincent Lefevre <vincent@vinc17.org> wrote:
>> On 2007-05-15 11:35:03 +0530, Deboo ^ wrote:
>> > I saw today that there's a zero byte file in my hoem dir with the name
>> > "Brendan" created yesterday but I couldn't search whp created it or
>> > what was the command that created it etc from any  log files.
>>
>> Are you sure you haven't written something containing "> Brendan" in
>> a terminal (e.g. by pasting a selection by mistake, this sometimes
>> happens to me, and I get 0-byte file creation because of that)?
>
> Yes  am sure I did not write anything containing "Brendan" and for me
> that's kinda new word or grammatically incorrect as far as I can say,
> though it could be a name for someone. Brandon should be the word and
> I can never make such a typo as far as I can say.

But how about a paste you didn't noticed? I don't know what terminal
you use, but for those that do paste on middle click, it is very easy
to paste without noticing it. The "> Brendan" could come from some
mail/news message written by some user (see the 5th line of this
message for instance) and ditto, it is very easy to select by mistake.

BTW, would an intruder create an empty file Brendan, leaving this trace
and clearing everything else?

>> > I am testing postfix on and off but don't keep it onlien for more
>> > than a few minutes everytime I test.
>>
>> Or could this come from one of your tests?
>
> Not from a test from me. My mistake that I kept the msot easy password
> for a new username just to test smtp auth.

This could be a problem if you have enabled sshd and if someone guessed
the username and the password.

>> > And JUST now as I am posting this, that file is GONE. I did not
>> > delete it.
>>
>> That's strange.
>
> Sorry for this. I was kind of worried so forgot that I saw the file in
> the root's home folder and not mine. That file is still there.

Do its ctime and mtime correspond to something special?

> Note the output of the iptables arno-fierwall script, two lines:
>
> May 16 02:49:21 debian kernel: Connection attempt (UNPRIV): IN=ppp0
> OUT= MAC= SRC=141.242.x.x DST=MY_IP_ADDRESS  LEN=392 TOS=0x00
> PREC=0x00 TTL=51 ID=61472 PROTO=UDP SPT=30349 DPT=1026 LEN=372
>
> May 16 02:50:54 debiansite kernel: Connection attempt (PRIV): IN=eth0
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:9d:0f:b9:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=1294
> PROTO=UDP SPT=68 DPT=67 LEN=308
>
> What kind of connection attempt is this? Isn't the second one a
> broadcast packet?

The second one corresponds to the BOOTP[1] protocol. I think it is
normal.

[1] http://en.wikipedia.org/wiki/Bootstrap_Protocol

Concerning the first one, this is apparently the Calendar Access
Protocol port[2].

[2] http://www.linklogger.com/UDP1026.htm

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)



Reply to: