From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 28 19:12:39 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8113D16A4CE
	for <questions@freebsd.org>; Thu, 28 Oct 2004 19:12:39 +0000 (GMT)
Received: from lilzmailso01.liwest.at (lilzmailso01.liwest.at [212.33.55.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E4F8443D1D
	for <questions@freebsd.org>; Thu, 28 Oct 2004 19:12:36 +0000 (GMT)
	(envelope-from dgw@liwest.at)
Received: from cm248-230.liwest.at ([81.10.248.230])
	by lilzmailso01.liwest.at with esmtp (Exim 4.24)
	id 1CNFhW-0001N2-VK
	for questions@freebsd.org; Thu, 28 Oct 2004 21:12:46 +0200
From: Daniela <dgw@liwest.at>
To: questions@freebsd.org
Date: Thu, 28 Oct 2004 21:13:34 +0000
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200410282113.34529.dgw@liwest.at>
Subject: Strange file appeared in my home directory
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: dgw@liwest.at
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2004 19:12:39 -0000

I noticed a file called "regs" in my home directory (which is 21 megs in size) 
and I have no clue where it comes from. The file format is not recognized by 
any of the common tools. The creation date was about four days ago, so if I 
created it, I would have remembered.
I looked at the file with the hexeditor and it seems to consist of lots of 
four-byte values which look like addresses on the stack of an application.

About half an hour before the creation date there were numerous failed login 
attempts on the SSH port (all from the same IP), but my logs didn't show any 
signs of an intrusion.
However, I suspect that I've been hacked. There was another strange occurence: 
Yesterday my internet connection went down without a particular reason.
I tested a few other configurations and rebooted multiple times, and after the 
fifth reboot (with the usual settings restored) it suddenly worked again.
There seem to be no unusual processes running, but when I'm hacked, I can't 
trust the tools on my system any more. Also there were quite a few crashes.

Has anyone seen this file too?
In case anyone wants to know, the offending IP was 200.84.78.83.

Regards,
Daniela