Date: Thu, 08 Aug 2002 23:57:24 -0400 From: Brian McCann <bjm1287@ritvax.isc.rit.edu> To: 'Darren' <backdoc@crotchett.com>, 'fbsd-questions' <freebsd-questions@freebsd.org> Subject: RE: strange ls and date commands (innocent or suspicious?) Message-ID: <000501c23f58$df4295b0$2e00a8c0@dogbert> In-Reply-To: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I can't say on those files...but just based on an odd line that you didn't put in your passwd file could (and I would take it as it does) indicate that the box was compromised. It's not entirely impossible for the box to have been cracked into via your FTP server. I'm not really knowledgeable enough to make any reasons...but I have heard of people hacking into servers running wu-ftp. Hope I helped. --Brian -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Darren Sent: Thursday, August 08, 2002 11:43 PM To: fbsd-questions Subject: strange ls and date commands (innocent or suspicious?) I came across two files "ls" and "date" in an odd place with slightly different permissions and different groups. I'm running 4.6 with some stuff backed up from 4.4. It seems that I copied them from my old box. I don't think this box has been compromised. Nothing other than port 80 and 25 have ever been open, plus I keep a close watch on it with aide. It's a new install and I'm keeping it up-to-date. But, I wonder if my old one was. Do you think these filenames are suspicious? Do they have logical explanations? in /hd2/var/ftp/bin, I have: ---x--x--x 1 root operator 298904 Jun 16 09:39 ls ---x--x--x 1 root operator 185792 Jun 16 09:39 date in /bin, I have: -r-xr-xr-x 1 root wheel 298904 Jun 10 23:18 /bin/ls -r-xr-xr-x 1 root wheel 185792 Jun 10 23:18 /bin/date scsibox# which ls /bin/ls scsibox# which date /bin/date Also, I found this entry in /etc/passwd: ftp:*:14:5::0:0:Anonymous FTP Admin:/hd2/var/ftp:/nonexistent I took it out. But, it sort of explains why I had /hd2/var/bin and /hd2/var/etc directories. TIA, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501c23f58$df4295b0$2e00a8c0>