[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Found file in /dev: "h"


Am Dienstag, 29. Juni 2004 09:29 schrieb Hans-Peter Jansen:
>On Tuesday 29 June 2004 07:47, Manfred Rebentisch wrote:
>> Hello,
>> I found  a normal file in /dev: "h" on one of my servers:
>> # ls -al /dev/h
>> -rw-r--r--    1 root     root          446 Feb 19 14:17 /dev/h
>> It contains the following text between binary code:
>> Invalid partition table^@No operating system^@Error loading
>> operating system
>> Is this from a rootkit or normal to SuSE 9.0?
>Don't know, but 446 is exactly the root sector loader size without
>partition table, and is definitely not found on pristine
>installations! Keep us informed about your research...

I found two entries in the log-file:
Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC= DST= LEN=40 TOS=0x00
 PREC=0x00 TTL=245 ID=63936 PROTO=TCP SPT=1085 DPT=22 WINDOW=4096 RES=0x00 SYN 
Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC= DST= LEN=48 TOS=0x00
 PREC=0x00 TTL=118 ID=64011 DF PROTO=TCP SPT=3103 DPT=22 WINDOW=16384 RES=0x00 
SYN URGP=0 OPT (020405B401010402)

Die dig-Abfrage:
oexs8:/var/log # dig

; <<>> DiG 9.2.2 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64063
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;                        IN      A

.                       10800   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2004062800 1800 900 604800 86400

The server has an open ssh-port, available from internet via dyndns.org. Using 
DSL with t-online.de.


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here