[Linux-disciples] Suspicious Files

Tue, 20 Jan 2004 21:57:11 -0500

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 20, 2004 at 09:50:51PM -0500, Dylan Thurston wrote:
> On Tue, Jan 20, 2004 at 09:38:36PM -0500, Adam Kessel wrote:
> > Suspicious files have been appearing in various directories on my syste=
m,
> > e.g.:
> > -rw-r--r--    1 adam     adam            0 2004-01-20 16:24 H.D?
> > There was one yesterday with some UTF-8 (accented) type characters in i=
t.
> > I have no idea where these are coming from. Any ideas about what might =
be
> > creating them or how to catch the culprit?
> It's unlikely to be a hack, but you should run chkrootkit anyway.

I did run chkrootkit, and it returned no problems.

I always wonder if there are rootkits out there that interfere with
chkrootkit. I mean, wouldn't an obvious thing be to replace the
chkrootkit executable with some other one?

> Do they appear in any sort of consistent location?  That file is recent,
> I notice.

Not really.  I've noticed three or four of these files so far.  I think
most of them were in my home directory, and one was somewhere else,
probably another directory I was in at some point.  I guess the most
likely explanation is something I'm invoking is creating them at startup,
but I don't know what it is, and unless I'm constantly looking to see if
a weird fliename has been created, it's a little hard to track down who's
creating it...
--=20
Adam Kessel
http://bostoncoop.net/adam

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFADeqHdTf3ZklQ6qYRAgz4AJ9Ugh/7efsP56KLKkpE/caGoRkaWgCffXDF
DM4YWVXnDsBgOJoHXtiXZjQ=
=pA0D
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--