NYCPHP Meetup

NYPHP.org

[nycphp-talk] Magic is Illusion?!?

Daniel J Cain Jr. dan at cain.sh
Fri Feb 27 14:23:21 EST 2004


On Fri, 2004-02-27 at 13:10, leam wrote:
> Big files, and i think "nobody" is the default user for nfs shared
> filesystems. Is the box an nfs server?

YES.  It has ended up that way out of necessity more than design.  As I
understand it FreeBSD (can't speak to the other BSD's) are a poor choice
to serve NFS. 

> /var/tmp is usually used for various applications to store stuff, but
> usually they clean up afterthemselves. Did the box have any problems
> around the date/time? Maybe a core dump?

/var filled up, and I had thought due to those files.  No .core files on
the filesystem including NFS clients.

> I wouldn't think it's an attack, more a miscreant application or system
> burp. I must confess to not being the most knowledgeable on such things
> though.

Knowing their origin (or at least a clue) makes me feel a little better.

> Two avenues to investigation. Run "strings" on the files and see what
> comes up. Or look for other files of that same size on the machine.

Thanks leam!

> ciao!
> 
> leam
> 
> > Odd question, possibly OT but the answer should determine that.
> > 
> > Anyone out there run into files like these?
> > 
> > -rwxr-xr-x  1 nobody  wheel  582254592 Jan 19 13:09 magicp8vAAg
> > -rwxr-xr-x  1 nobody  wheel  582254592 Jan 19 13:09 magicwcYIKc
> > 
> > Found these bad boys on /var/tmp/ on a FreeBSD box.  Not sure they are
> a
> > PHP (or an extensions) tmp file or what.  Google, PHP source, and log
> > files haven't shed any light on this as of yet.
> > 
> > Could this indicate an attack of some kind?  Any thoughts are welcome.
> > 
> > -dan
> > 
> > _______________________________________________
> > talk mailing list
> > talk at lists.nyphp.org
> > http://lists.nyphp.org/mailman/listinfo/talk
> > 
> > 




More information about the talk mailing list