4

In the root of several of our old CentOS machines (CentOS release 5.8 (Final)) In the root of the ext3 file system I see the following:

wtf.

I've removed some of these, but they seem to continue coming back.

Here are the timestamps

-rw-rw----   1 root   root       0 2011-12-15 01:20 .?????????????????????????????????????????????????Z]Y?+
-rw-rw----   1 root   root       0 2011-12-16 01:14 .???????????????????????????????????????????????????ֽ*
-rw-rw----   1 root   root       0 2011-12-20 01:20 .?????????????????????????????????????????????????????*
-rw-rw----   1 root   root       0 2011-12-22 01:23 .??????????????????????????????????????????????????\X?*
-rw-rw----   1 root   root       0 2011-12-26 01:20 .????????????????????????????????????????????????????]+
-rw-rw----   1 root   root       0 2012-01-01 01:16 .?????????????????????????????????????????????????*???+
-rw-rw----   1 root   root       0 2012-01-04 01:15 .?????????????????????????????????????????????????????*
-rw-rw----   1 root   root       0 2012-01-11 01:14 .???????????????????????????????????????????????????;?+
-rw-rw----   1 root   root       0 2012-01-12 01:17 .?????????????????????????????????????????????????ZF.?*
-rw-rw----   1 root   root       0 2012-02-29 01:16 .?????????????????????????????????5?;J+
-rw-rw----   1 root   root       0 2012-02-29 01:17 .???????????????????????????????????e?*
-rw-rw----   1 root   root       0 2012-03-01 01:16 .??????????????????????????????????B)Q+
-rw-rw----   1 root   root       0 2012-03-06 01:08 .??????????????????????????????????'??+
-rw-rw----   1 root   root       0 2012-03-07 01:09 .?????????????????????????????????%?F?+
-rw-rw----   1 root   root       0 2012-03-22 01:07 .?????????????????????????????????%??+
-rw-rw----   1 root   root       0 2012-04-06 01:12 .?????????????????????????????????????*
-rw-rw----   1 root   root       0 2012-05-06 01:16 ??X?7+.?????????????????u{?7+
Marco Ceppi
  • 457
  • 3
  • 19
  • do these machines with the odd filenames have a direct connection to the internet? – Mike Pennington Jul 16 '12 at 20:27
  • @MikePennington Yes – Marco Ceppi Jul 16 '12 at 20:33
  • Can you tell me what `PermitRootLogin` is set to in `/etc/ssh/sshd_config`? – Mike Pennington Jul 16 '12 at 20:36
  • 1
    Possible duplicate of http://serverfault.com/questions/218005/my-servers-been-hacked-emergency ? :) – Aaron Copley Jul 16 '12 at 20:41
  • I don't think we're being attacked, SSH port is locked outside of our network. So I'm not worried about PermitRootLogin – Marco Ceppi Jul 16 '12 at 20:45
  • I think Janne is onto something. Try `ls -lart --time-style=long-iso` to get them sorted by time with the full timestamp (so it shows time for everything) is it always around 01:10? The variation in time could be if it's something like a backup script that is creating the file whenever it ends. – DerfK Jul 16 '12 at 21:02
  • @DerfK I've added the output, it is certainly around the same time, only seemingly scattered on the dates. – Marco Ceppi Jul 16 '12 at 23:21

2 Answers2

3

Those seem to appear approximately the same time at near 01:10. Could there be a buggy cron job creating those files?

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78
2

Hmmm. Are you running rsyslog / syslog-ng ... or any other logging daemon ? I bet that it's a rule running wild. If you are using rsyslog check working directory and your rules.

Also you can try with lsof and if you are lucky the descriptor will be still alive and you will find the corresponding app.

Nikolaidis Fotis
  • 1,994
  • 11
  • 13