Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
just logged into my root account to install a program, and my software FOLDER hs gone, and an executable file 'software' has appeared with a file size of 1778301, with full permissions. i havent run this executable. i installed an online multiplayer game a few days ago, but that was in my limited user account, but something definatley isnt right.
would it be 'safe' to copy this 'software' executable over to a new user account and run it, to see what happens? or should i just get rid of it?
OK, I'm guessing it is a zipped up version of your software folder. Hard to tell what is inside without unzipping it. Run:
[code]
bzip2 -dvk software
file software.out
[code]
just logged into my root account to install a program, and my software FOLDER hs gone, and an executable file 'software' has appeared with a file size of 1778301, with full permissions. i havent run this executable. i installed an online multiplayer game a few days ago, but that was in my limited user account, but something definatley isnt right.
would it be 'safe' to copy this 'software' executable over to a new user account and run it, to see what happens? or should i just get rid of it?
If you suspected foul-play, then the last thing you should have done was to start playing-around with the suspicious (and possibly malicious) file. Getting rid of it would have been a bad idea too, as it's valuable evidence. A better approach would have been to firewall the box and start performing a basic inspection. I'm assuming you don't have an IDS installed, but if you do, you should bust-out the signatures and run a scan from a live CD once your inspection results have been recorded on separate media. Hopefully you haven't been owned (and you ascertain the origin of the file), and this will be no more than a wake-up call.
i also did last, but there were alot of logins that day as root and normal user which i remember doing, so i cant really tell.
At least nothing is out of the ordinary. So hopefully no one was able to get in.
You can also view the root history file to see all the commands that were recently run.
more /root/.bash_history
ls -l of the suspect file will tell you the time & date it was created. That could also be a big clue.
win32sux, im not really very experienced with security at the moment unfortunately, but something has definately happened, and its since i played the online game.
ill check on that, DotHQ.
*EDIT* i cant see anything suspicious in the root .bash_profile
the 'software' file seems to have been created today march 19 at 16:51, which if i remember was around the time i logged in.
win32sux, the commands I had jukebox55 run didn't do anything to the suspected file. It should still be there in an unaltered state. And, at this point I'm pretty sure it is NOT a case of hacking (cracking).
Here is what I suspect happened. A tar of the software directory was created by some command that involved tar being piped to bzip2 but wasn't formatted in the proper way which resulted in the software directory being removed and this tarball created.
If you run the command:
Code:
mv software.out software.tar
tar -tvf software.tar
I would bet you will see the former contents of your software directory being listed.
Were you playing around w/ bzip2 or tar sometime today?
forrestt, your right, i think what happened was i had a new program in bzip format i wanted to install, but it was on my pendrive, so i logged into the root account, mounted the drive, then tried to mv the file into the root/software folder, but something must have happened.
when i did
'tar -tvf software.tar' it was indeed the name of the program that was on the pendrive.
i feel a bit dumb now lol. thankfully it wasnt something bad , although ive lost the 'software' folder and its contents, it doesnt matter too much.
this has taught me to start building my programs as a normal user in a safe user folder using su!
thanks forrestt, DotHQ, and win32sux. nice to know u people are around if/WHEN noobs like me screw thing up
If at some point you ran "cp /pendrive/filename.tar.bz2 /root/software" and it created a file called software in /root, then you already lost your software folder BEFORE that command was run.
You'll have to think back and determine if you had removed your software directory (or moved it somewhere else).
im pretty sure i didnt move the software directory. and you know whats funny, i remember glancing at the fortune message you get on log in and it said something like "we came, we conquered, we deleted your files", so i dont know what to think.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.