LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-24-2003, 07:45 PM   #1
jgombos
Member
 
Registered: Jul 2003
Posts: 256

Rep: Reputation: 32
Discovered 'evesdrop.pl' in my root folder!


I just discovered a file in my root folder called evesdrop.pl. It's pretty scary. I don't know perl, and I don't have a clue what this thing does, but it has world execute permission. It was created 10/2002, and I'm just now discovering it because I haven't had to login as root much at all, and when I do, I don't check my directory.

Here is what evesdrop.pl does:
Code:
#!/usr/local/bin/perl
 
open (OUTPUT, "|cat -v");
select(OUTPUT);
$| = 1;
 
while (<>) {
  if (/^\s/) {
    chop;
    s/\s//g;
    while ($_) {
      ($hex, $_) = /^(..)(.*)$/;
      $byte = hex($hex);
      print pack("c", $byte);
    }
  } else {
    print "\n\n";
    print;
  }
}
What could this file do? I'm the only one that uses this machine, and the only other users on the LAN are my roommates (whom I trust- and they don't have accounts). I'm figuring this is an outside attack. Any ideas?

Last edited by jgombos; 08-24-2003 at 07:49 PM.
 
Old 09-02-2003, 08:46 PM   #2
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329

Rep: Reputation: Disabled
...I dont know what it does, but i would check your disribution & see if it is a legitimate 'program'. Failing that, could you not do a clean re-install? If your system security has been compromised you never know what other nasty surprises might be hidden away in there...
 
Old 09-03-2003, 03:49 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
What could this file do?
What this Perl script does is output the contents from an input file and if it encounters a line starting with "\s" it'll print the line to stdout and strip the chars, else it will print two EOL's to stdout. As "standalone app" I can see no harm in the script, but I can't offer any guess either whether it being there is proof of suspicious activity, outright compromise or not.

I agree with Neilcpp you should check your distro's packages to find this file as a legitimate part of some app, if not zip it up and see what happens. If you had configured and used any filesystem integrity scanner (Aide, Samhain, tripwire etc etc) you would have been alerted to this kind of files appearing and could have investigated it right away.

I disagree with Neilcpp this isolated anomaly is grounds enough to warrant a reinstall, but you should comb over your systems, pinpoint any anomalies wrt unusual system behaviour or missing/appearing files. If you have suspicions, use your distro's rescue disk/cd, tomsrtbt, knoppix or whatever instead of booting the suspected system, and run Chkrootkit(.org) in any case.

Be sure to post any anomalies (you think could be related) so we can help you in verifying the integrity of your systems.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hostname and root folder charnel Programming 1 07-24-2005 02:54 PM
permissions difference between /home/..../folder and /root/folder darkleaf Linux - General 3 07-21-2005 06:23 PM
repermissioned root folder incorrectly DutchBoy Linux - Software 1 08-29-2004 12:44 PM
Root Folder Shortcut Shoal Linux - Newbie 6 08-11-2004 01:02 PM
how to i create a folder under root? santasballz Linux - Newbie 3 02-27-2004 07:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration