From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 28 19:35:46 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 80E7016A4E3
	for <questions@freebsd.org>; Thu, 28 Oct 2004 19:35:46 +0000 (GMT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 9DB2C43D31
	for <questions@freebsd.org>; Thu, 28 Oct 2004 19:35:45 +0000 (GMT)
	(envelope-from krylon@gmx.net)
Received: (qmail 7605 invoked by uid 65534); 28 Oct 2004 19:35:44 -0000
Received: from i53875882.versanet.de (EHLO [192.168.0.13]) (83.135.88.130)
  by mail.gmx.net (mp010) with SMTP; 28 Oct 2004 21:35:44 +0200
X-Authenticated: #685629
Message-ID: <41814A0F.7050909@gmx.net>
Date: Thu, 28 Oct 2004 21:35:43 +0200
From: Benjamin Walkenhorst <krylon@gmx.net>
User-Agent: Mozilla Thunderbird 0.7.3 (X11/20041025)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: dgw@liwest.at
References: <200410282113.34529.dgw@liwest.at>
In-Reply-To: <200410282113.34529.dgw@liwest.at>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: questions@freebsd.org
Subject: Re: Strange file appeared in my home directory
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2004 19:35:46 -0000

Hello,

Daniela wrote:

>I noticed a file called "regs" in my home directory (which is 21 megs in size) 
>and I have no clue where it comes from. The file format is not recognized by 
>any of the common tools. The creation date was about four days ago, so if I 
>created it, I would have remembered.
>I looked at the file with the hexeditor and it seems to consist of lots of 
>four-byte values which look like addresses on the stack of an application.
>  
>

I've never heard of such a thing happening...

>About half an hour before the creation date there were numerous failed login 
>attempts on the SSH port (all from the same IP), but my logs didn't show any 
>signs of an intrusion.
>However, I suspect that I've been hacked. 
>
Well, /if/ someone intruded your system, she/he surely would remove all 
possible evidence
(unless it's someone *really* stupid).

If your machine was compromised, I suggest, you take it offline *now* 
and inspect it
thoroughly. There is a piece of software called "The Coroner's Toolkit" 
(TCK) which I
think is made for that.
More easily, you can checksum your system files and compare them with a 
clean install.
If you have recent backups, you can use these at well.

If you are afraid a rootkit might have been installed - I don't know if 
these exist for FreeBSD,
but I wouldn't be surprised... - you should consider booting from 
trusted media and inspecting
the system, since sometimes root kits hide the intruder's files (at 
least for systems like Linux
and Solaris, but again, I don't think FreeBSD will be much different in 
that regard).

>There was another strange occurence: 
>Yesterday my internet connection went down without a particular reason.
>I tested a few other configurations and rebooted multiple times, and after the 
>fifth reboot (with the usual settings restored) it suddenly worked again.
>  
>

Mmmh. Maybe your provider just had some problem... Who knows?

>Also there were quite a few crashes.
>  
>

Unless you have a static IP, it would be quite hard for the intruder to 
get in again.
(OTOH, I don't think it would be hard to make a system send a message to 
the internet
upon connection)

Also, I suggest to look through your hardware - I had lots of crashes 
for some time, till
I replaced my power supply. Now my machine runs like a champ. =)

>In case anyone wants to know, the offending IP was 200.84.78.83.
>  
>
If it was a dial-up connection, that doesn't mean anything. Maybe it's 
also a machine that's
already compromised.


Before you start wearing a foil-hat, remember that all of the above only 
applies if your
system was indeed compromised (how I /love/ that word, it sounds so 
serious...).
It is after all still posibble that it's just... I don't know... 
something really weird. Sometimes
applications will create such things for no apparent reason (from a 
users point of view at
least). Of course, this would be unusual, but not impossible.

Still, if you have security-concerns, I suggest you take the box offline 
and examine it.
As a side-effect, this is probably very interesting.

I wish you good luck (and that your system be still intact)!

Kind regards,
Benjamin