Strange files in /var

[Debian sarge]

I was poking around trying to figure out how
to fix the damage from the latest Debian upgrade,
and I found these two strange files:

oliver@zermelo:/var$ ls -ld to*
-rw-r--r-- 1 root root 161 Dec 13 17:07 total.costs.Dec-2004
-rw-r--r-- 1 root root 161 Dec 13 16:59 total.costs.Nov-2003


oliver@zermelo:/var$ cat total.costs.Dec-2004
# This file contains the total price to pay to your Telecompany in Dec.
# I hope that this price below isn't too expensive for you :) hehe

total cost () = 0.00

The other file is similar. Any idea what it means? Kind of
has a hackerish sound to it, but chkrootkit shows nothing to
speak of.

On Fri, 04 Mar 2005 17:34:08 -0600, Mike Oliver wrote:
> [Debian sarge]
>
> I was poking around trying to figure out how
> to fix the damage from the latest Debian upgrade,
> and I found these two strange files:
>
> oliver@zermelo:/var$ ls -ld to*
> -rw-r--r-- 1 root root 161 Dec 13 17:07 total.costs.Dec-2004
> -rw-r--r-- 1 root root 161 Dec 13 16:59 total.costs.Nov-2003
>
>
> oliver@zermelo:/var$ cat total.costs.Dec-2004
> # This file contains the total price to pay to your Telecompany in Dec.
> # I hope that this price below isn't too expensive for you :) hehe
>
> total cost () = 0.00
>
> The other file is similar. Any idea what it means? Kind of
> has a hackerish sound to it, but chkrootkit shows nothing to
> speak of.

You're running a ppp dialer, aren't you?

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | linux
| Gunnison, Colorado | @ | Jonesy | OS/2 __
| 7,703' -- 2,345m | config.com | DM68mn SK

Allodoxaphobia wrote:
> On Fri, 04 Mar 2005 17:34:08 -0600, Mike Oliver wrote:
>> oliver@zermelo:/var$ cat total.costs.Dec-2004
>> # This file contains the total price to pay to your Telecompany in Dec.
>> # I hope that this price below isn't too expensive for you :) hehe
>>
>> total cost () = 0.00
>>
>>The other file is similar. Any idea what it means? Kind of
>>has a hackerish sound to it, but chkrootkit shows nothing to
>>speak of.
>
>
> You're running a ppp dialer, aren't you?

Oh! Not per se; I usually use a direct ethernet
DSL connection. But when I was visiting my
Mom in December I used PPPoE (still no dialer).
You think that has something to do with it?

Thanks,
Mike

Mike Oliver wrote:
> Allodoxaphobia wrote:
>
>> On Fri, 04 Mar 2005 17:34:08 -0600, Mike Oliver wrote:
>>
>>> oliver@zermelo:/var$ cat total.costs.Dec-2004
>>> # This file contains the total price to pay to your Telecompany in
>>> Dec.
>>> # I hope that this price below isn't too expensive for you :) hehe
>>>
>>> total cost () = 0.00
>>>
>>> The other file is similar. Any idea what it means? Kind of
>>> has a hackerish sound to it, but chkrootkit shows nothing to
>>> speak of.
>>
>>
>>
>> You're running a ppp dialer, aren't you?
>
>
> Oh! Not per se; I usually use a direct ethernet
> DSL connection. But when I was visiting my
> Mom in December I used PPPoE (still no dialer).
> You think that has something to do with it?

Looks like it:

zermelo:/usr/bin# grep "total.costs" pppstatus
Binary file pppstatus matches
zermelo:/usr/bin# grep Telecompany !$
grep Telecompany pppstatus
Binary file pppstatus matches

So unless the tin-eared English in pppstatus indicates
a trojaned version, I guess I'm OK. I wish people wouldn't
fool around like this. I was close to reinstalling because
of this.

Mike Oliver wrote:

Hi,

> So unless the tin-eared English in pppstatus indicates
> a trojaned version, I guess I'm OK. I wish people wouldn't
> fool around like this. I was close to reinstalling because
> of this.

well, in another post you mentioned that you already did. Next time, you
suspect that some evil hacker has placed an overview of your telco costs in
your log directory, you should probably consider making some investigations
as to what may have caused the system compromise - unless reinstalling is a
secret hobby of yours.

--
Bye,
Oliver

Mike Oliver wrote:

> Allodoxaphobia wrote:
>> On Fri, 04 Mar 2005 17:34:08 -0600, Mike Oliver wrote:
>>> oliver@zermelo:/var$ cat total.costs.Dec-2004
>>> # This file contains the total price to pay to your Telecompany in
>>> # Dec. I hope that this price below isn't too expensive for you :)
>>> # hehe
>>>
>>> total cost () = 0.00
>>>
>>>The other file is similar. Any idea what it means? Kind of
>>>has a hackerish sound to it, but chkrootkit shows nothing to
>>>speak of.
>>
>>
>> You're running a ppp dialer, aren't you?
>
> Oh! Not per se; I usually use a direct ethernet
> DSL connection. But when I was visiting my
> Mom in December I used PPPoE (still no dialer).
> You think that has something to do with it?
>
> Thanks,
> Mike



may you post the ls -al of /var and the full output of text contained in the
files created in the same date of this 2 files, pls?
--
--
powered by linux

Oliver Battenfeld wrote:
> Mike Oliver wrote:
>
> Hi,
>
>
>>So unless the tin-eared English in pppstatus indicates
>>a trojaned version, I guess I'm OK. I wish people wouldn't
>>fool around like this. I was close to reinstalling because
>>of this.
>
>
> well, in another post you mentioned that you already did.

No. I said I reinstalled once because I thought my setup
could have been compromised. That was last year some time;
completely separate issue.

1 bit wrote:

> may you post the ls -al of /var and the full output of text contained in the
> files created in the same date of this 2 files, pls?

I don't see any reason to, as I'm now satisfied I know where the files
came from.