LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-13-2012, 06:45 PM   #1
leftism
LQ Newbie
 
Registered: Nov 2012
Posts: 7

Rep: Reputation: Disabled
Maybe my server has been hacked?


Hello. I would like some help from you guys.

Im not sure but Im thinking my server got hacked.
I run tripwire and since the other days these to files has been added to /usr/local/bin

Added:
"/usr/local/bin/stkuAhHc"
"/usr/local/bin/stVaBKYt"
"/usr/local/bin/stwF8FO4"

I looked at them and they were empty , and didnt have the execute flag.

Do you think these came from a hacker?
 
Old 11-13-2012, 07:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,685
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Can you run 'stat' on each of the files and post the exact output here?
 
Old 11-14-2012, 03:39 AM   #3
leftism
LQ Newbie
 
Registered: Nov 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
The other admin already deleted the files.

But I found a file in the source dir of nmap 6.01. I compiled it from source and did a checkinstall , and then later install it via dpkg.

But when i looked now there is a package there
backup-111120121054-pre-nmap.tgz which contains these three files.
Here is the stat out from them

stat stVaBKYt
File: `stVaBKYt'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 2fh/47d Inode: 80347292 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 50/ staff)
Access: 1970-01-01 01:00:00.000000000 +0100
Modify: 2012-11-11 10:54:14.000000000 +0100
Change: 2012-11-14 10:38:30.556682820 +0100


File: `stkuAhHc'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 2fh/47d Inode: 80347291 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 50/ staff)
Access: 1970-01-01 01:00:00.000000000 +0100
Modify: 2012-11-11 10:54:14.000000000 +0100
Change: 2012-11-14 10:38:30.555680817 +0100


File: `stwF8FO4'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 2fh/47d Inode: 80347293 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 50/ staff)
Access: 1970-01-01 01:00:00.000000000 +0100
Modify: 2012-11-11 10:54:11.000000000 +0100
Change: 2012-11-14 10:38:30.556682820 +0100




I cant find any other sign of intrusion, ive looked in all of the logfiles...

Update: I ran checkinstall in nmap source directory and it created those files again. So it was nmap who created the files, why i dont know

Last edited by leftism; 11-14-2012 at 05:17 AM.
 
Old 11-14-2012, 09:33 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
I ran checkinstall in nmap source directory and it created those files again. So it was nmap who created the files, why i dont know
Just a suggestion, look in the configuration file and see if there is some sort of option along the lines of where to put temporary files. I would be guessing here, but it looks like it may be placing temp files in the location from which the program is executed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me my server was hacked ctamayoa Linux - Security 19 11-27-2012 09:29 PM
server hacked... ciberrust Linux - Security 11 07-07-2010 12:21 PM
Server hacked php4u Linux - Security 1 07-05-2004 12:34 PM


All times are GMT -5. The time now is 07:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration