Curiousity has finally gotten the better of me. It may be that this is a big nothing, but i doubt it. I work for a company that shall remain nameless, and this company recently had a machine that started acting extremely strange one afternoon. It was running DNS, ypbind (which was what started the whole escapade), webserver, sshd, etc... I would provide more info but the box I believe has been recycled into the system at this point. The system in question was a Redhat 6.0 box if I remember correctly. On with the story, upon investigating the system, we discovered ls -l would barf on anything not owned by root, ps was puking, and ssh would not connect you until you sent a C^c. Strange things in and of themselves. We suspected a library issue. We sent this box to a nearby security firm we work with and they couldnt find any definite evidence of root kit. So I am posting here to satisfy my curiousity. The subject says it all really, we found about 1800 files in / directory with names like .SeCuRiTy#somenumber. These files seemed to be grouped in some manner. Running strings on them turned up nothing.. Anyways, to cut it short, Im just really curious if anyone can tell me if there are any kits out there that write files in that manner to / it seems like a poor place to hide things to me, as when discovered they obviously do not belong... So...anyone seen these types of files before? Ive grepped most all the search engines but most are not case sensitive and typing security into them just generates lots of unrelated stuff for the most part. Some sites did come up when searching with some case sensitive search engines, though they tended to be Russian sites that I of couse could not read. ;) Anyways, the most anyone has ever told me is "Sounds bad" or "Seems like a compromise to me"... If anyone has anything more informative it would be great. .ray -- ------------------------------------------------ Ray Schneider <rayat_private> HackFOO.org
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 13:40:23 PDT