Re: Security Breach: A zero byte file created in my home directory

To: debian-user@lists.debian.org
Subject: Re: Security Breach: A zero byte file created in my home directory
From: "Deboo ^" <knowledgeful@gmail.com>
Date: Wed, 16 May 2007 07:00:31 +0530
Message-id: <[🔎] e46817700705151830p28c0f34cm421049f48fa693cd@mail.gmail.com>
Reply-to: knowledgeless@gmail.com
In-reply-to: <[🔎] 20070515221537.GW8428@prunille.vinc17.org>
References: <[🔎] e46817700705142305p50e6c179gea162f6cba1e57fa@mail.gmail.com> <[🔎] 20070515063927.GQ8428@prunille.vinc17.org> <[🔎] e46817700705151424v48d20a4es19603c2e335747e6@mail.gmail.com> <[🔎] 20070515221537.GW8428@prunille.vinc17.org>

On 5/16/07, Vincent Lefevre <vincent@vinc17.org> wrote:

On 2007-05-16 02:54:06 +0530, Deboo ^ wrote:
> On 5/15/07, Vincent Lefevre <vincent@vinc17.org> wrote:
>> On 2007-05-15 11:35:03 +0530, Deboo ^ wrote:
>> > I saw today that there's a zero byte file in my hoem dir with the name
>> > "Brendan" created yesterday but I couldn't search whp created it or
>> > what was the command that created it etc from any  log files.
>>
>> Are you sure you haven't written something containing "> Brendan" in
>> a terminal (e.g. by pasting a selection by mistake, this sometimes
>> happens to me, and I get 0-byte file creation because of that)?
>
> Yes  am sure I did not write anything containing "Brendan" and for me
> that's kinda new word or grammatically incorrect as far as I can say,
> though it could be a name for someone. Brandon should be the word and
> I can never make such a typo as far as I can say.

But how about a paste you didn't noticed? I don't know what terminal
you use, but for those that do paste on middle click, it is very easy
to paste without noticing it. The "> Brendan" could come from some
mail/news message written by some user (see the 5th line of this
message for instance) and ditto, it is very easy to select by mistake.


Thanks for the clarity. Yep that's very possible since an unintended
paste has happened quite a few times when gpm didn't paste what I
copied but the previous selection from the links browser.

BTW, would an intruder create an empty file Brendan, leaving this trace
and clearing everything else?


No, he wouldn't but was a nice warning to me to make iptables work.
Sorry for the trouble to all who had to read.

> Note the output of the iptables arno-fierwall script, two lines:
>
> May 16 02:49:21 debian kernel: Connection attempt (UNPRIV): IN=ppp0
> OUT= MAC= SRC=141.242.x.x DST=MY_IP_ADDRESS  LEN=392 TOS=0x00
> PREC=0x00 TTL=51 ID=61472 PROTO=UDP SPT=30349 DPT=1026 LEN=372
>
> May 16 02:50:54 debiansite kernel: Connection attempt (PRIV): IN=eth0
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:9d:0f:b9:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=1294
> PROTO=UDP SPT=68 DPT=67 LEN=308
>
> What kind of connection attempt is this? Isn't the second one a
> broadcast packet?

The second one corresponds to the BOOTP[1] protocol. I think it is
normal.

[1] http://en.wikipedia.org/wiki/Bootstrap_Protocol

Concerning the first one, this is apparently the Calendar Access
Protocol port[2].

[2] http://www.linklogger.com/UDP1026.htm


How do I make iptables not log these since these are just too many and
just fills up the log. Only real connection attempts should be logged.

Regards,
Deboo

--
Please don't Cc: me, I'm subscribed to the list.

Reply to:

References:
- Security Breach: A zero byte file created in my home directory
  - From: "Deboo ^" <knowledgeful@gmail.com>
- Re: Security Breach: A zero byte file created in my home directory
  - From: Vincent Lefevre <vincent@vinc17.org>
- Re: Security Breach: A zero byte file created in my home directory
  - From: "Deboo ^" <knowledgeful@gmail.com>
- Re: Security Breach: A zero byte file created in my home directory
  - From: Vincent Lefevre <vincent@vinc17.org>

Prev by Date: Re: MBR problems
Next by Date: Re: Preventing delayed USB writes
Previous by thread: Re: Security Breach: A zero byte file created in my home directory
Next by thread: Problems after mixing Sarge and Etch
Index(es):
- Date
- Thread