On 2007-05-16 02:54:06 +0530, Deboo ^ wrote: > On 5/15/07, Vincent Lefevre <[EMAIL PROTECTED]> wrote: >> On 2007-05-15 11:35:03 +0530, Deboo ^ wrote: >> > I saw today that there's a zero byte file in my hoem dir with the name >> > "Brendan" created yesterday but I couldn't search whp created it or >> > what was the command that created it etc from any log files. >> >> Are you sure you haven't written something containing "> Brendan" in >> a terminal (e.g. by pasting a selection by mistake, this sometimes >> happens to me, and I get 0-byte file creation because of that)? > > Yes am sure I did not write anything containing "Brendan" and for me > that's kinda new word or grammatically incorrect as far as I can say, > though it could be a name for someone. Brandon should be the word and > I can never make such a typo as far as I can say.
But how about a paste you didn't noticed? I don't know what terminal you use, but for those that do paste on middle click, it is very easy to paste without noticing it. The "> Brendan" could come from some mail/news message written by some user (see the 5th line of this message for instance) and ditto, it is very easy to select by mistake. BTW, would an intruder create an empty file Brendan, leaving this trace and clearing everything else? >> > I am testing postfix on and off but don't keep it onlien for more >> > than a few minutes everytime I test. >> >> Or could this come from one of your tests? > > Not from a test from me. My mistake that I kept the msot easy password > for a new username just to test smtp auth. This could be a problem if you have enabled sshd and if someone guessed the username and the password. >> > And JUST now as I am posting this, that file is GONE. I did not >> > delete it. >> >> That's strange. > > Sorry for this. I was kind of worried so forgot that I saw the file in > the root's home folder and not mine. That file is still there. Do its ctime and mtime correspond to something special? > Note the output of the iptables arno-fierwall script, two lines: > > May 16 02:49:21 debian kernel: Connection attempt (UNPRIV): IN=ppp0 > OUT= MAC= SRC=141.242.x.x DST=MY_IP_ADDRESS LEN=392 TOS=0x00 > PREC=0x00 TTL=51 ID=61472 PROTO=UDP SPT=30349 DPT=1026 LEN=372 > > May 16 02:50:54 debiansite kernel: Connection attempt (PRIV): IN=eth0 > OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:9d:0f:b9:08:00 SRC=0.0.0.0 > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=1294 > PROTO=UDP SPT=68 DPT=67 LEN=308 > > What kind of connection attempt is this? Isn't the second one a > broadcast packet? The second one corresponds to the BOOTP[1] protocol. I think it is normal. [1] http://en.wikipedia.org/wiki/Bootstrap_Protocol Concerning the first one, this is apparently the Calendar Access Protocol port[2]. [2] http://www.linklogger.com/UDP1026.htm -- Vincent Lefèvre <[EMAIL PROTECTED]> - Web: <http://www.vinc17.org/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/> Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
