Date: Thu, 8 Aug 2002 22:52:57 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Darren <backdoc@crotchett.com> Cc: fbsd-questions <freebsd-questions@FreeBSD.ORG> Subject: Re: strange ls and date commands (innocent or suspicious?) Message-ID: <20020809035257.GB33901@dan.emsphone.com> In-Reply-To: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com> References: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 08), Darren said: > I came across two files "ls" and "date" in an odd place with slightly > different permissions and different groups. I'm running 4.6 with > some stuff backed up from 4.4. It seems that I copied them from my > old box. I don't think this box has been compromised. Nothing other > than port 80 and 25 have ever been open, plus I keep a close watch on > it with aide. It's a new install and I'm keeping it up-to-date. > But, I wonder if my old one was. Do you think these filenames are > suspicious? Do they have logical explanations? > > in /hd2/var/ftp/bin, I have: > ---x--x--x 1 root operator 298904 Jun 16 09:39 ls > ---x--x--x 1 root operator 185792 Jun 16 09:39 date > > in /bin, I have: > -r-xr-xr-x 1 root wheel 298904 Jun 10 23:18 /bin/ls > -r-xr-xr-x 1 root wheel 185792 Jun 10 23:18 /bin/date > > Also, I found this entry in /etc/passwd: > ftp:*:14:5::0:0:Anonymous FTP Admin:/hd2/var/ftp:/nonexistent That entry and the extra bin and ls are for chrooted anonymous FTP access. If you remove the account, you might as well rm -rf /hd2/var/ftp as well. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020809035257.GB33901>