Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just discovered a file in my root folder called evesdrop.pl. It's pretty scary. I don't know perl, and I don't have a clue what this thing does, but it has world execute permission. It was created 10/2002, and I'm just now discovering it because I haven't had to login as root much at all, and when I do, I don't check my directory.
Here is what evesdrop.pl does:
Code:
#!/usr/local/bin/perl
open (OUTPUT, "|cat -v");
select(OUTPUT);
$| = 1;
while (<>) {
if (/^\s/) {
chop;
s/\s//g;
while ($_) {
($hex, $_) = /^(..)(.*)$/;
$byte = hex($hex);
print pack("c", $byte);
}
} else {
print "\n\n";
print;
}
}
What could this file do? I'm the only one that uses this machine, and the only other users on the LAN are my roommates (whom I trust- and they don't have accounts). I'm figuring this is an outside attack. Any ideas?
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Rep:
...I dont know what it does, but i would check your disribution & see if it is a legitimate 'program'. Failing that, could you not do a clean re-install? If your system security has been compromised you never know what other nasty surprises might be hidden away in there...
What could this file do?
What this Perl script does is output the contents from an input file and if it encounters a line starting with "\s" it'll print the line to stdout and strip the chars, else it will print two EOL's to stdout. As "standalone app" I can see no harm in the script, but I can't offer any guess either whether it being there is proof of suspicious activity, outright compromise or not.
I agree with Neilcpp you should check your distro's packages to find this file as a legitimate part of some app, if not zip it up and see what happens. If you had configured and used any filesystem integrity scanner (Aide, Samhain, tripwire etc etc) you would have been alerted to this kind of files appearing and could have investigated it right away.
I disagree with Neilcpp this isolated anomaly is grounds enough to warrant a reinstall, but you should comb over your systems, pinpoint any anomalies wrt unusual system behaviour or missing/appearing files. If you have suspicions, use your distro's rescue disk/cd, tomsrtbt, knoppix or whatever instead of booting the suspected system, and run Chkrootkit(.org) in any case.
Be sure to post any anomalies (you think could be related) so we can help you in verifying the integrity of your systems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
