NYCPHP Meetup

[leam]

Don't have access to any BSD boxes at the moment, but here's my
thoughts.

Big files, and i think "nobody" is the default user for nfs shared
filesystems. Is the box an nfs server?

/var/tmp is usually used for various applications to store stuff, but
usually they clean up afterthemselves. Did the box have any problems
around the date/time? Maybe a core dump?

I wouldn't think it's an attack, more a miscreant application or system
burp. I must confess to not being the most knowledgeable on such things
though.

Two avenues to investigation. Run "strings" on the files and see what
comes up. Or look for other files of that same size on the machine.

ciao!

leam

> Odd question, possibly OT but the answer should determine that.
> 
> Anyone out there run into files like these?
> 
> -rwxr-xr-x  1 nobody  wheel  582254592 Jan 19 13:09 magicp8vAAg
> -rwxr-xr-x  1 nobody  wheel  582254592 Jan 19 13:09 magicwcYIKc
> 
> Found these bad boys on /var/tmp/ on a FreeBSD box.  Not sure they are
a
> PHP (or an extensions) tmp file or what.  Google, PHP source, and log
> files haven't shed any light on this as of yet.
> 
> Could this indicate an attack of some kind?  Any thoughts are welcome.
> 
> -dan
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> 

--