A bit of weirdness showed up on one of my machines, and I'm hoping that someone out there might have some insights:
Two days ago I was upgrading a machine from Fedora Core 2 to Fedora Core 4. Things went more or less well until today when I noticed a directory, /root/_files, that I didn't put there... It contains thirty files, all but one of which look like this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /wp-images/smilies/icon_smile.gif was not found on this server.</p>
<hr>
<address>Apache/2.0.53 (Fedora) Server at
www.ro0t.com Port 80</address>
</body></html>
(this one is named "icon_smile" in the directory). Some of the files describe the requested URL as being, e.g., /~jasonw/images/birthday.gif; "jasonw" means nothing to me. The one file that's not like this is a saved webpage from io2technology.com, which probably has nothing to do with anything. Googling the file names reveals that many refer to rather uninteresting bits of porn; together, the files look like a typical script kiddie collection. Ick. (But note that the files themselves aren't there; just these 404-type pages.)
So, now the question becomes where these came from. Possibly-relevant bits of information include:
* The files in question all have ownership of root/root.
* My concern about lupper comes from the fact that I did have awstats 6.1 on the machine (yes, shame on me; it has since been updated). However, the awstats.pl file had been behind an Apache authorization, so random attempts by a lupper worm to access awstats should fail.
* In fact, while there are lots of entries in my server log files showing >>attempts<< to get in with lupper (URLs with attempts to cd into /tmp and so on), none of them returned anything other than 404 or 401.
* I don't have WordPress or any of the other problematic Lupper-related applications on this machine.
* There's no evidence of the usual telltale signs of lupper -- nothing inappropriate in /tmp.
* The timestamp on all the files is Nov 15 at 12:41, which was just about the time that I was doing the upgrade. Perhaps somebody slipped in while during an incomplete part of the update?
* There are no unexpected entries in /etc/passwd or /etc/shadow.
I have since locked up ports 7111 and 7222 with iptables, but I'm still a little creeped out. Aside from keeping a close eye on this, does anyone have any recommendations for what to do here?
Thanks,
Jim Miller