Hello, Am Dienstag, 29. Juni 2004 09:29 schrieb Hans-Peter Jansen:
On Tuesday 29 June 2004 07:47, Manfred Rebentisch wrote:
Hello, I found a normal file in /dev: "h" on one of my servers: # ls -al /dev/h -rw-r--r-- 1 root root 446 Feb 19 14:17 /dev/h
It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system
Is this from a rootkit or normal to SuSE 9.0?
Don't know, but 446 is exactly the root sector loader size without partition table, and is definitely not found on pristine installations! Keep us informed about your research...
Pete
I found two entries in the log-file: Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=80.180.181.211 DST=217.224.35.218 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=63936 PROTO=TCP SPT=1085 DPT=22 WINDOW=4096 RES=0x00 SYN URGP=0 Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=80.180.181.211 DST=217.224.35.218 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=64011 DF PROTO=TCP SPT=3103 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Die dig-Abfrage: oexs8:/var/log # dig 80.180.181.211 ; <<>> DiG 9.2.2 <<>> 80.180.181.211 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64063 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;80.180.181.211. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2004062800 1800 900 604800 86400 The server has an open ssh-port, available from internet via dyndns.org. Using DSL with t-online.de. Manfred