0

I've noticed a lot of weird logs in /var/log on my server.

For example:

cd /var/log/DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000
sudo cat user.log 
Jun 30 16:48:08 DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000

Another example:

cd /var/log/Nmap
sudo cat user.log 
Jun 30 16:48:28 Nmap

Note Nmap is not installed on my server.

Another example:

cd get_info
sudo cat user.log
Jun 30 16:48:25 get_info

I'm worried this may be a sign my server has been compromised, but perhaps it's something else?

The server is Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) with unattended-upgrades turned on for security updates.

nobody
  • 11,251
  • 1
  • 41
  • 60
Stiofán
  • 101
  • See https://unix.stackexchange.com/questions/6068/is-it-possible-to-find-out-what-program-or-script-created-a-given-file for some ideas around how to find how these files are being created. – mti2935 Jul 05 '21 at 17:21
  • Try putting the contents of netstat -tulpn in here (you can and should censor some of the sensitive stuff you see there if there is any) – Sir Muffington Dec 02 '21 at 16:48
  • @Stiofán, what's your server's Internet connectivity like? What is it usually in contact with? – securityOrange Dec 03 '21 at 05:06
  • *The server is Ubuntu 20.04.2 LTS* is no enough! You seem to have something able to create *logdir* under `/var/log` (wich require special rights). Could you list what's running on this server, and describe the kind of services your server do offer... – F. Hauri - Give Up GitHub Dec 04 '21 at 13:32

1 Answers1

0

Not necessarily a 100% 'answer' but getting to the next step -- maybe strings sent by an nmap service probe?

https://svn.nmap.org/!svn/bc/3320/nmap/nmap-service-probes

paal527569
  • 1
  • Thanks @paal527569 I think you're right. Seems odd the probes are getting their own log files though. I guess there must be something installed on the server which is logging this stuff. – Stiofán Jul 05 '21 at 16:55
  • 1
    @Stiofán do you have anything listening on port 3632? – user253751 Jul 07 '21 at 09:03