> -----Original Message----- > From: Jiang Peng [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 9, 2003 07:27 AM > To: [EMAIL PROTECTED] > Subject: Strange files found on Solaris8 > > Hi All, > > I just found some strange files under Root directory of my Solaris 8. > > the files are named as: .SeCuRiTy.0, .SeCuRiTy.1, ..... until .SeCuRiTy.68. > Following are part of the output of command: ls -al > > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.0 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.1 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.10 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.11 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.12 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.13 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.14 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.15 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.16 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.17 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.18 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.19 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.2 > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.20 > .............. > Does anyone know what these files for? I googled the internet, but found no > clues.
Oddly, I just did a fresh install of Solaris 8 on a box today. . . mind you, my CD set is dated 1999, but no files like you speak of. The Upper/Lower case alternation makes one suspect you've been hacked. And assuming your box has been up and running for a year or more, that the hack was almost a year ago. First, look at /etc/shadow, and look for accounts you don't recognize. That's a certain sign of a hack. . . if it's not there, it's not proof you haven't been hacked, but if it is. . . I'd back up, AND CLOSELY EXAMINE your config files, wipe the box, and start from scratch. And lock it down, first. Also, use a recent edition of BIND, anything prior to 8.3.4 (?) has a vulnerability. Incidentally, for any internet box, I always start with a Core install, and lock it down from there, so there are no development tools to do a make on BIND for you. As a result, I recommend http://www.sunfreeware.com/, which has a pre-compiled BIND 9x binary package. > This server is runnin an internet DNS server. > What I am worrying about is if someone broke into my system. > Can anyone point me a right way to analysis these files? what kind of log > files I need pay attention to? Based on the dates of the files listed, I'd guess that if it WAS a hack, it happened last year, and thus has long passed into /dev/null as far as logs are considered. . . --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
