3

I am running Fedora 20, and today I found a file that looks highly suspicious in my home directory. The name of the file appears to be a base64 encoded string, but doesn't decode to anything meaningful:

n5LJFcZz+8slfpALAFzHk8msAh9vsDCiYwKvzw8uAirPE00Jq9HqTSvlT9ChhjZtA==

The contents of the file are here:

http://pastebin.com/6Ba6zZem

Any idea on what I am looking at? I am going to run rkhunter on my machine, is there anything else I should do?

update: The file is owned by my username, which is the only user on this machine:

$ stat n5LJFcZz+8slfpALAFzHk8msAh9vsDCiYwKvzw8uAirPE00Jq9HqTSvlT9ChhjZtA== File: ‘n5LJFcZz+8slfpALAFzHk8msAh9vsDCiYwKvzw8uAirPE00Jq9HqTSvlT9ChhjZtA==’ Size: 888 Blocks: 8 IO Block: 4096 regular file Device: fd05h/64773d Inode: 3021277 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/mvandemar) Gid: ( 1000/mvandemar) Context: unconfined_u:object_r:user_home_t:s0 Access: 2014-07-23 12:51:37.316782678 -0400 Modify: 2014-05-28 18:25:21.362568805 -0400 Change: 2014-05-28 18:25:21.364568810 -0400 Birth: -

I have no idea what I was doing 2 months ago at that time. lsof had no output at all. sshd is not running on my machine (nor do I see any ssh logins via last), although I do see this command via htop:

/usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "cinnamon-session-cinnamon"

Not sure what else I should look for.

Michael VanDeMar
  • 95
  • 1
    If I would try to hack you, I definitely would not place strange files directly in your home directory. It looks more like you accidentally ran some weird command, for example by a middle click pasting some text into your shell. - Maybe the timestamp of the file could give you a hint when it was created. Also have a look at the output of history. Maybe you can spot the responsible command. – michas Jul 23 '14 at 17:17
  • 1
    File metadata might be the key. What's the file ownership? What are its permissions? When was it created? Are there any suspicious processes running that might have created it? Can you remember what you were doing when it was created? Any logs at this time? What about last? – John WH Smith Jul 23 '14 at 17:18
  • Running an ls -la will tell you who the owner is and permissions – ryekayo Jul 23 '14 at 17:20
  • Looks like really really short encryption keys. I'd say check who owns the files and see what processes run under that user. Checking SSH logs or seeing if and HTTPD services run in that directory is a good place to start as well. Time stamps should be helpful in finding what activity was going on at the time. That being said if you own the file it might just be a bad pipe or unexpected write. (edit due to premature save) – Roman K. Jul 23 '14 at 17:20
  • That filename seems to be a base64 encoded string. You probably tried something with base64 and forgot about it. How the file got filled with those lines remains a mistery. – Valentin Bajrami Jul 23 '14 at 18:27
  • If you want to check your machine for compromise, the next step would be to boot from trusted media (e.g., a rescue CD) and and search for weird files, compare checksums vs. known-good ones, etc. Since you're doing this using the kernel, binaries, etc. from the known-good media, you'll bypass any rootkit present. (In theory, its possible to compromise the BIOS, or even lower-level stuff, but... that's probably just the NSA. And they probably didn't leave a random file in your home dir.) – derobert Jul 23 '14 at 20:46

2 Answers2

2

It is extremely improbable that this represents a security breach. A badly-implemented malware would use a dot file for a modicum of stealth. A better-implemented malware would hide itself by patching the kernel so that no file would ever appear.

The mundane explanation is that you accidentally pasted a line containing the character > followed by this text in a terminal. This caused the shell running in that terminal to create the file, since > followed by a file name is an output redirection. If there was anything else on the line, or if there were other lines, the shell probably complained of numerous syntax errors, in an incident which you've forgotten after all these months.

The name of the file is encoded in Base64. It's the last part of a block (given the = at the end) whose beginning is missing. There were probably multiple lines of base64-encoded data, with > at the beginning of a line as a continuation or quoting character.

You can look at the content of the file, it might give you a clue as to what you pasted. It's unlikely to be important though. Just delete that file.

Gilles 'SO- stop being evil'
  • 829,060
-1

You can try to find out what process is creating the file with the lsof command:

lsof n5LJFcZz+8slfpALAFzHk8msAh9vsDCiYwKvzw8uAirPE00Jq9HqTSvlT9ChhjZtA==1

A more powerful tool is inotify which can monitor directories for the creation of specific files.

Take a look at Determine which process is creating a file for more info.

Community
  • 1
Robert Gomez
  • 139
  • lsof shows no output at all. – Michael VanDeMar Jul 23 '14 at 18:06
  • I should have mentioned that it only shows currently opened files and what process they belong to. You should probably try inotify instead. More than likely it is a process that is creating the file that you don't know about, not a hacker. Try deleting it and see if it's recreated. – Robert Gomez Jul 23 '14 at 19:30
  • The process that created the file would have to still have it open after all these months. These commands aren't going to be useful here. @MichaelVanDeMar – Gilles 'SO- stop being evil' Jul 23 '14 at 23:16