Was I hacked?
in [Suse]
|
Prev: Root growing--closure
Next: ath9k in 11.3?
From: Pete Puma on 29 Jun 2010 20:58 J G Miller wrote: > On Tue, 29 Jun 2010 19:39:47 -0400, Pete Puma wrote: > >> Another 0k file was right under it, named, ?success?. > > Actually called ?success? or just /success > > I think that a file called /success may get created > as part of the boot up sequence in openSUSE related to disk > checking and mounting, possibly after a needed fsck of a file system. I'm getting or generating garbage characters here, so I changed to UTF-8. Anyway, the file was "success". The other file was my log-in password. How did that happen?
From: Pete Puma on 29 Jun 2010 21:09 David Bolt wrote: > On Wednesday 30 Jun 2010 00:39, while playing with a tin of spray paint, > Pete Puma painted this mural: > >> Being impatient for the new openSuse release, I decided to check an old >> hard drive to see if anything valuable was on it and install openSuse RC1 >> for the interim 15 days. >> >> On the root level of the disk (where I had run openSuse 11.1) I see a 0k >> file named, ?mypassword?, not actually the words: mypassword, but my >> actual password?the one I use to log in. > > The only file(s) I've found in my / were /success, which my other reply > shows to be a flag file, a /core file which I couldn't give a monkeys > about, and /.swap_file which is an emergency swap file for use when I > suddenly start needing more swap space than I originally set aside. > > If an empty file was present with the same name as my password, I would > be very interested to know why it was there. Maybe examining > /root/.bash_history , or even ~/.bash_history may put some light on the > files creation. > >> Sitting there in the open. My jaw dropped. >> I share this logon with no one. >> Another 0k file was right under it, named, ?success?. > > See my other response. > >> Neither had any data in them. Should I feel as violated as I do? >> >> Did someone get me? > > Most unlikely. For starters, unless you've turned off the firewall, > that is enabled by default. Most, if not all, services don't listen to > the net, so you're going to be pretty well protected. As to _how_ the > "mypassword" file was created, as I've never seen such a thing happen > on any of my systems, I don't have any idea how it could have appeared. If I'm testing a music server or trying to talk or feed to a Windows machine, in all honesty, it wouldn't be past me to "temporarily" kill the openSuse firewall (still behind a NAT router, mind you). Sometimes I have trouble nailing down which port to open, so I take the quick out. It may have cost me this time. It also wouldn't be unusual to forget to turn it back on for a while. I'll look into those history files and if I find something worth posting about, I will. Thanks for all the responses.
From: Paul J Gans on 29 Jun 2010 22:11
David Bolt <blacklist-me(a)davjam.org> wrote: >On Wednesday 30 Jun 2010 00:39, while playing with a tin of spray paint, >Pete Puma painted this mural: >> Being impatient for the new openSuse release, I decided to check an old hard >> drive to see if anything valuable was on it and install openSuse RC1 for the >> interim 15 days. >> >> On the root level of the disk (where I had run openSuse 11.1) I see a 0k >> file named, ?mypassword?, not actually the words: mypassword, but my actual >> password?the one I use to log in. >The only file(s) I've found in my / were /success, which my other reply >shows to be a flag file, a /core file which I couldn't give a monkeys >about, and /.swap_file which is an emergency swap file for use when I >suddenly start needing more swap space than I originally set aside. >If an empty file was present with the same name as my password, I would >be very interested to know why it was there. Maybe examining >/root/.bash_history , or even ~/.bash_history may put some light on the >files creation. >> Sitting there in the open. My jaw dropped. >> I share this logon with no one. >> Another 0k file was right under it, named, ?success?. >See my other response. >> Neither had any data in them. Should I feel as violated as I do? >> >> Did someone get me? >Most unlikely. For starters, unless you've turned off the firewall, >that is enabled by default. Most, if not all, services don't listen to >the net, so you're going to be pretty well protected. As to _how_ the >"mypassword" file was created, as I've never seen such a thing happen >on any of my systems, I don't have any idea how it could have appeared. I have done some dumb things in my time. One was to login, enter my password, get distracted, and type it again after I was logged in. It showed up as a plain filename. I stupidly sat there and watched it all happen. And no, I can't reproduce it. But I cured it with a decent dose of caffine, after which I cleaned everything up and all was fine. And yes, it was a single user (plus root) machine. -- --- Paul J. Gans |