 | View Full Version : New folder and file found under Root DIR??? terran11355@ 09-29-2004, 05:54 PM Hi guys, I found a new folder called \177q and a new file called .rnd Does anybody knows what are they? Before i delete this i have to know what is this and whether or not effect the whole system. Thanks sean Techark 09-29-2004, 06:22 PM Does not sound good. That is not a normal system folder. Who does it belong to what user and group. bear 09-29-2004, 06:54 PM You should see what's inside the folder (or was it that .rnd file?), in addition to Techark's suggestion. I agree it doesn't sound good... terran11355@ 09-29-2004, 06:56 PM Originally posted by Techark Does not sound good. That is not a normal system folder. Who does it belong to what user and group. Hi Techark, Thanks again. when i run command # cd \177q and i got this errors: No such file or directory but i am it is there, and i pico the file .rnd, i got a lot of words but i can't read, it is not english something like this ^X^Y or *d ^n i am not sure what are they? I think i have to delete them( contact admin ) sean Steven 09-29-2004, 07:07 PM Hrmm sounds very odd. bear 09-29-2004, 07:33 PM Originally posted by terran11355@ when i run command # cd \177q and i got this errors: No such file or directory Wouldn't that be /177q and not \177q? Steven 09-29-2004, 07:38 PM not if the folder name is \177q 2uantuM 09-29-2004, 08:24 PM try "cd \\177q" bear 09-29-2004, 08:48 PM Originally posted by thelinuxguy not if the folder name is \177q Is that valid to use for a directory name? v3dic 10-01-2004, 03:07 AM This does not sound good! Since the first character of the folder is the escape character, it is clearly something fishy. Precede it with a \ to look at it as 2uantuM said. I would run chkrootkit to make sure your system has not been compromised. Also check out lastlog to see when the last root login was (ideally this would be disabled with AllowUsers directive in sshd_config). Check out the .bash_history file to see what else was done. You clearly have some type of script kiddie who is making no attempt to be clever so they probably left you a lot of info to go on Lastly if you can rebuild the box with a freshly patched distro and run BastilleLinux and Nessus to secure it so *hopefully* this doesn't happen again. John[H4Y] 10-01-2004, 03:11 AM The "not English" characters you are seeing likely means the file you are editing is a binary file. This would certainly be consistent with a system comprimise. Most script-kiddie exploit programs are written in C, compiled and placed wherever the hacker can gain write access and execute access. Since the /root folder is only writeable by the root user, you might be in serious trouble. Another possibility is that you have a disk problem. Disk corruption can cause strange looking files and directories to show up among other things. |