/begin part 1
*warning*long-winded post..trying to provide background

my background:
windows refugee, currently 8 months without turning on the windows box for anything at home...it has become a paperweight. (yea!...debian, yea!...linux)
i used legit winders software, so i am trying to kick that expensive habit at home. there are very few things left for me to figure out...except linux security.

the desktop box:
p2-400, 198m ram, 30 g hd, 2 opticals...quieter and cooler than my amd+3200 or p4-2.4. debian unstable...like myself...upgrades applied daily.

the network:
static ip behind a smoothwall 2 firewall box (with all updates applied) on a dsl line. also running a web/ftp server (debian, testing) on a separate box in the protected dmz provided by the smoothy. i port forward incoming 22 to oblivion at the firewall, 80 20 and 21 to the webserver. all unsolicited incoming connection requests are supposed to be dropped at the firewall, except those explicitly forwarded to my box. i have samba/swat installed configured in case one of my windows people needs a file...not that they would even know how to access the share.

the surfing habits:
distrowatch.com---self-admitted distro-junkie, web, email.
i like the ladies, preferrably live, naked, and in the same room as i, but that is not always possible to arrange. i bittorrent (distros) on 6881, and sometimes i amule (various) on 6881. i have tcp/udp 6881 port forwarded to my desktop box. when i amule, i run firestarter(almost religiously). i do not store user/passwords in the browsers i use, nor do i have account numbers and such in my home directory. i do use kmymoney for tracking expenses, but no references to institution/account number. i feel fairly secure behind my firewall(s)...maybe that trust is misplaced and i should still be paranoid.

/end part 1

/begin part 2

the problem:
for whatever reason, i had a file manager window open on my home dir and i went up a level. hello ANONYMOUS directory...who and how are you? funny, i do not remember creating you. this was a little surprising, but i did just have a marathon (13 day) mule session. so the new directory makes me nervous.
apt-get installed chkrootkit...negative on all results. kuser shows no ANONYMOUS user. i had to power-down and get ready for work...so that is all i had time to do this morning. i need to check creation date on the directory when i return to the house to find out when exactly it appeared.

it is a bit too late for tripwire and snort. that should have been done before i loaded the machine with personal data. i am not opposed to a backup/wipe/re-install, but that seems a very windows-like, knee-jerk response. besides, linux is so secure...i shouldn't need to worry, right? wrong!

anybody have any suggestions on what else to do/check/look for? should i be overly concerned?


thanks,
not-so-newbie

/end part 2

What user owns 'ANONYMOUS'.??

When was it created?

Is there anything in it?

I can't guarantee any of this, but seeing as how you said this
it may be that the /home/anonymous directory is for the ftp stuff. I've got ftp running on my laptop(the only computer I have at the moment) and I have a /home/ftp directory. Just a though. It may be that whatever package you're using for ftp is the reason(I can't remember what I use, either ftpd, or proftpd). Again, I can't guarantee this.

ms/l

web/ftp on a separate box...invisible linux force field of goodness separating server box and my desktop box...cross communication not possible...no pinholes opened. thanks for the suggestion.
---
danimalz
ownership is something i will have to check out when i return home...thanks for suggesting it. unsure of content...i think i checked it and it was empty...i just went into panic-i've-been-rooted mode upon seeing it. i had pondered whether or not i or an upgrade process might have created it.

i will most likely boot a knoppix to check it out tonight...so that i don't make matters worse...if i was hacked.

thanks,
not-so-newbie

sorry, my misunderstanding. Yes you're right. There would be no way for a package to put an account on a different machine though ftp.

is the user in /etc/passwd & /etc/shadow(if it's there)? have you tried logging in as this user?

Also, I've seen a user named "anonymous" often used with anonymous CVS, if you ever use that. Make sure you do an 'ls -al /home/anonymous' (or ls -al /home/ANONYMOUS if it's all caps as you typed it) to see if there are any hidden files or folders in it.

You may also wish to grep all your logfiles for "anonymous" or "ANONYMOUS".

ms/l

thank you for another good suggestion. one that i will have to checkout when i return home.

i am striving to become a linux guru, and i have become very conversant in installs, initial configs, and package acquisition/management...but security issues do not present themselves in a linux environment as often as a windows environment (thank god, linus, gnu, the oss, spi, the unices, and all that i am forgetting--even red hat). so in 3.5 years of trying to monkey-up a linux install, this is my first security concern, and i am not sure i have anything to be concerned about. time will tell.

any other suggestions? anyone?

thanks,
not-so-newbie

matir,

i do not believe i have the cvs package installed...since i have never checked anything out of cvs, nor would i know how to do that without specific instructions.

another excellent suggestion...but i will check...thank you.

i will also do '( ls -al /home/ANONYMOUS if it's all caps as you typed it)'
case matters...i know...that is why i typed it that way

thank you.

Just checking. Sometimes people type things in all caps for emphasis, which is very bad in the *nix world. (And especially since the convention on usernames and so forth is all lowers)

perhaps i should refine my question to :


what newbie-friendly tools are used to check for trojans/rooting---keeping in mind that i am debian-powered and debian-empowered?

chkrootkit (debian, used it-negative for compromise)
deb-sums(?) (haven't tried it yet, have read how to use it and install it)
others?


yes, command line suggestions welcome:

ls -al /home/ANONYMOUS
grep all your logfiles for "ANONYMOUS"
top and ps -ax ---look for weirdness

the system appears to be behaving normally...i have noticed no quirks (read segfaults, or strange ls output) that would suggest that i have been rooted, just an unexplained directory...

if this was your system, how far would you take ? down to the bare-metal in a knee-jerk reaction?

i have put much faith in the smoothwall firewall distribution (and its iptables implementation) for protecting my systems (linux and winders). i guess i just need to determine how that d*** directory got there.

any further input is welcome.

At this point, I see no signs of a system compromise. A directory of unknown origin is not proof of a compromise. To me, it smells more like some software did something you're not aware of.

In addition to chkrootkit, you can check out 'rkhunter'. It's similar to chkrootkit, but also useful.

kewl...and thanks again for your input, one and all.

*resolved*

now that i am back in front of my pc i can execute the suggestions provided by helpful forum members.

i have found /home/ANONYMOUS belongs to nobody nogroup and the directory is empty.
no entry for ANONYMOUS in /etc/passwd or /etc/shadow, so no new user was added.
cvs is installed, i've never used it...and it wasn't upgraded today, so no reason to create a directory.
the creation time of the directory coincided with the approximate finish time of an apt-get upgrade...something i did not have time to verify this morning.

so i think i can safely assume that one of the packages i upgraded this morning created that directory. i could further speculate that the guilty package could have been one of the debian gftp 2.0.18-9 packages...judging from the list of upgraded packages in /var.log/dpkg.log.

thanks again to the helpful people "up in here". this was my first RFH (request for help) post. i appreciate not being bludgeoned by the 'RTFM' sledgehammer.

not-so-newbie

Well done Debian-Luva...!

Thanks for letting us know.