Hi guys, A while ago I posted a question about SFTP (I think the thread name was "SFTP Question") about attacks I got against my server after syslog warned me about an attempted breakin.
Consequently I installed fail2ban and did a few other things to let me sleep better at night. However, prior to this breakin, in early December 2014, I noticed my network behaving strangely especially through wireless connections. I have Debian that acts as a gateway (wlan0->br0->eth0). wlan0 is the pickup for the internal network that gets bridged to eth0 which then goes through the router to the internet. What I noticed was that wireless connections would break down quickly, bind9 would fail to resolve (even on wired connections) and pages would load slow. In general it was chaos. Under the impression that it was a hardware failure, I changed the wlan0 adapter. Still it was the same. So I bought a more expensive one, and still no change. I changed eth0 with an expensive one and still it was the same. I bought 2 new Netgear ADSL routers but the chaos was still there. wlan0, br0 and eth0 just didn't want to work together no more. Eventually I stopped all bootup scripts and processes trying to isolate the problem. And guess what, I found the culprit. Here it is: ########################################################## -rwxr-xr-x 1 root root 648K Dec 11 17:17 /boot/dippqejwvf ########################################################## This file got booted up and caused all the havoc. I moved it to a secure place and now it seems that all gremlins have gone away. The date on this file is 11 Dec 2014, right about the time my troubles started. I think that those Chinese guys got into my system even before syslog warned me a few days later. However, I have a few other weird looking files in the /boot directory. Can you guys please have a look at them and tell me if they are normal or not. ######################################################### drwxr-xr-x 3 root root 4.0K Jan 6 19:35 . drwxr-xr-x 24 root root 4.0K Jan 3 17:23 .. -rwxr-xr-x 1 root root 648K Jan 6 19:03 aknaykocbs -rwxr-xr-x 1 root root 648K Jan 1 11:34 bxerzoalfk -rw-r--r-- 1 root root 157K Dec 10 18:57 config-3.16.0-0.bpo.4-686-pae -rw-r--r-- 1 root root 132K Dec 8 00:36 config-3.2.0-4-686-pae -rwxr-xr-x 1 root root 648K Dec 20 08:04 cwpgfmvkrk -rwxr-xr-x 1 root root 648K Dec 30 22:41 czhlgmsgzh -rwxr-xr-x 1 root root 648K Dec 30 20:03 dkseypedtx -rwxr-xr-x 1 root root 648K Jan 3 15:14 esijfkmwnd -rwxr-xr-x 1 root root 648K Dec 27 14:49 fndswijgdk -rwxr-xr-x 1 root root 0 Dec 20 08:14 gbwokvqoch drwxr-xr-x 3 root root 12K Jan 3 17:23 grub -rwxr-xr-x 1 root root 648K Jan 5 07:28 gyimenpwnt -rwxr-xr-x 1 root root 648K Dec 31 17:49 hjmmvaxfzq -rwxr-xr-x 1 root root 648K Dec 15 21:25 hutaslspbf -rw-r--r-- 1 root root 14M Jan 3 17:25 initrd.img-3.16.0-0.bpo.4-686-pae -rw-r--r-- 1 root root 11M Jan 2 22:01 initrd.img-3.2.0-4-686-pae -rwxr-xr-x 1 root root 648K Jan 2 18:47 isrgzlchmx -rwxr-xr-x 1 root root 648K Dec 27 14:56 izytxsbskq -rwxr-xr-x 1 root root 648K Jan 5 18:40 kvvcqvddix -rwxr-xr-x 1 root root 648K Jan 1 11:19 ryrfvxjggh -rwxr-xr-x 1 root root 0 Jan 5 19:08 sgopxfsiac -rw-r--r-- 1 root root 2.0M Dec 10 18:57 System.map-3.16.0-0.bpo.4-686-pae -rw-r--r-- 1 root root 1.6M Dec 8 00:36 System.map-3.2.0-4-686-pae -rwxr-xr-x 1 root root 648K Dec 30 20:40 ttqssdikcn -rwxr-xr-x 1 root root 0 Dec 26 17:11 utxlhlmnix -rwxr-xr-x 1 root root 0 Dec 12 07:29 vdqepbezvg -rw-r--r-- 1 root root 2.9M Dec 10 18:56 vmlinuz-3.16.0-0.bpo.4-686-pae -rw-r--r-- 1 root root 2.6M Dec 8 00:35 vmlinuz-3.2.0-4-686-pae -rwxr-xr-x 1 root root 648K Dec 31 17:30 wevzubbsgn -rwxr-xr-x 1 root root 648K Jan 1 09:46 xjeemjyuly -rwxr-xr-x 1 root root 648K Jan 1 17:10 zfmpizunja -rwxr-xr-x 1 root root 648K Jan 1 10:00 zkdjlvhuui -rwxr-xr-x 1 root root 0 Dec 30 22:32 zpaqgbuxvr ######################################################## What bothers me is that the "other" files are all the same size (648k) as the suspected file I removed and they are very recent additions to the /boot directory. Thank You Danny -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150106180456.GA8657@fever.havannah.local
