[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Found file in /dev: "h"



Hello,

Am Dienstag, 29. Juni 2004 09:29 schrieb Hans-Peter Jansen:
>On Tuesday 29 June 2004 07:47, Manfred Rebentisch wrote:
>> Hello,
>> I found  a normal file in /dev: "h" on one of my servers:
>> # ls -al /dev/h
>> -rw-r--r--    1 root     root          446 Feb 19 14:17 /dev/h
>>
>> It contains the following text between binary code:
>> Invalid partition table^@No operating system^@Error loading
>> operating system
>>
>> Is this from a rootkit or normal to SuSE 9.0?
>
>Don't know, but 446 is exactly the root sector loader size without
>partition table, and is definitely not found on pristine
>installations! Keep us informed about your research...
>
>Pete

I found two entries in the log-file:
Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC=80.180.181.211 DST=217.224.35.218 LEN=40 TOS=0x00
 PREC=0x00 TTL=245 ID=63936 PROTO=TCP SPT=1085 DPT=22 WINDOW=4096 RES=0x00 SYN 
URGP=0
Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC=80.180.181.211 DST=217.224.35.218 LEN=48 TOS=0x00
 PREC=0x00 TTL=118 ID=64011 DF PROTO=TCP SPT=3103 DPT=22 WINDOW=16384 RES=0x00 
SYN URGP=0 OPT (020405B401010402)

Die dig-Abfrage:
oexs8:/var/log # dig 80.180.181.211

; <<>> DiG 9.2.2 <<>> 80.180.181.211
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64063
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;80.180.181.211.                        IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2004062800 1800 900 604800 86400


The server has an open ssh-port, available from internet via dyndns.org. Using 
DSL with t-online.de.

Manfred


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here