Very Computer

If this is the wrong group ,I'm sorry.
else
please read on.

yesterday something strange happened to me.
As a student at the local university I have an account
at the university computer center which I can connect to with my home
computer. So last night when I rang up with my modem I suddenly see that
my computer start working really hard (I thinking huh??? what the F**K
is going on here???)so what do I do?? well trying to figure out what
is happening I start a "top" process and lo and behold, what do I see??
I see a user with the username "nobody" has started a "find" process on
my computer !!! what the hell??? After having stared at it for a few
seconds (not believing my own eyes) I i finally manage to collect my
thoughts and turn of the modem, but the process had already been running
for a little while so I have no idea how much of the HD the process had
already scanned.

Now then as i am not all too familiar with the "find" process, I kinda
wondered, will a person be able to actually down load a file from my computer
using "find" or is he only able to scan my HD ?
Also who can do something like this ??I mean can everybody with access to
the same computer as I start a process on somebodys home computer when they
try to log on? or will it have to be someone with root access ??
It also looked as it was somekind of script as it started at once when I
got contact with the university computer.

Anyone have any thoughts on this one ??
I'd really appriciate anything you have to say.

kenneth johansen

Running a webserver by any chance?  If so, check your access_log for
references to cgi-bin, as this person could have been doing a cgi
based attack on you (since the process was UID nobody).

If you do a "man find" you will find (no pun intended ;-) ) that find
just searches for files matching a certain description.

Sean

Quote:>yesterday something strange happened to me.
>As a student at the local university I have an account
>at the university computer center which I can connect to with my home
>computer. So last night when I rang up with my modem I suddenly see that
>my computer start working really hard (I thinking huh??? what the F**K
>is going on here???)so what do I do?? well trying to figure out what
>is happening I start a "top" process and lo and behold, what do I see??
>I see a user with the username "nobody" has started a "find" process on
>my computer !!! what the hell??? After having stared at it for a few
>seconds (not believing my own eyes) I i finally manage to collect my
>thoughts and turn of the modem, but the process had already been running
>for a little while so I have no idea how much of the HD the process had
>already scanned.

: Running a webserver by any chance?  If so, check your access_log for
: references to cgi-bin, as this person could have been doing a cgi
: based attack on you (since the process was UID nobody).

: If you do a "man find" you will find (no pun intended ;-) ) that find
: just searches for files matching a certain description.

Really? Cool! :). Try 'find / -name '*' -exec rm -f {} \;' as root and
tell me if it only finds files matching a certain description :)).

: Sean

N.

--
Quidquid latine dictum sit, altum viditur.

(Whatever is said in Latin sounds profound.)

: If this is the wrong group ,I'm sorry.
: else
: please read on.

: yesterday something strange happened to me.
: As a student at the local university I have an account
: at the university computer center which I can connect to with my home
: computer. So last night when I rang up with my modem I suddenly see that
: my computer start working really hard (I thinking huh??? what the F**K
: is going on here???)so what do I do?? well trying to figure out what
: is happening I start a "top" process and lo and behold, what do I see??
: I see a user with the username "nobody" has started a "find" process on
: my computer !!! what the hell??? After having stared at it for a few
: seconds (not believing my own eyes) I i finally manage to collect my
: thoughts and turn of the modem, but the process had already been running
: for a little while so I have no idea how much of the HD the process had
: already scanned.

Hmm. If it were happening to me I would have it the reset button first
and ask questions later. :)

: Now then as i am not all too familiar with the "find" process, I kinda
: wondered, will a person be able to actually down load a file from my computer
: using "find" or is he only able to scan my HD ?

He's able to do whatever the hell he wants with find, delete, change,
overwrite, read, mail to other people, man find and especially look into
the -exec part.

: Also who can do something like this ??I mean can everybody with access to
: the same computer as I start a process on somebodys home computer when they
: try to log on? or will it have to be someone with root access ??

They'd have to be pretty smart people, but before jumping to conclusions
- think what you were running, especially think what you were running as
'nobody',  daemon processes that are unpriviledged often run under this
user, it may have been something you ran yourself without knowing.

: It also looked as it was somekind of script as it started at once when I
: got contact with the university computer.

That could be it, how long have you been connected with the modem? Long
enough for someone to use the connection? Also, were you using a a PPP/SLIP
connection or just some kind of terminal dialup?

: Anyone have any thoughts on this one ?? : I'd really appriciate anything you have to say.

: kenneth johansen

N.

--

http://www.cs.huji.ac.il/~scorpios/
If you got here you're either very bored or braindead.

-----BEGIN PGP SIGNED MESSAGE-----

: : Running a webserver by any chance?  If so, check your access_log for
: : references to cgi-bin, as this person could have been doing a cgi
: : based attack on you (since the process was UID nobody).
:
: : If you do a "man find" you will find (no pun intended ;-) ) that find
: : just searches for files matching a certain description.
:
: Really? Cool! :). Try 'find / -name '*' -exec rm -f {} \;' as root and
: tell me if it only finds files matching a certain description :)).

        But, if the find process was being run UID nobody, wouldn't
        the rm fail for just about every file on the system?

        Duh!! :)

- --
__________________________________________________________

Web page: http://junior.wariat.org/~patrick

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBMqOf3n7fAtqQc+KBAQEGTgL/aOGTnyair2lCoqAr857Xq8cj1TC0WYak
Mx+bmJ3LUva//9rWgPXzWd0eH7l1iAnP+yR6pkiwjRiIjOV0YR7gOtHpkM2djrDm
zHhTC0x+2X8L+aoBpS3Z/V08scNMPOh/
=HhP0
-----END PGP SIGNATURE-----

A "find" command running as UID nobody bears strong resemblance to the
"updatedb" command found on many Linux boxes.  On my box, this runs every
day at 6:42am (as defined in /etc/crontab).  I know it would be a hefty
coincidence for this to have happened at the same time as connecting with
your modem, but there's no harm in looking.

                    Inter-Varsity Folk Dance Festival
                      LENT TERM FEB 28th - MAR 2nd.

_________________________________________________________________________

It didn't show anything, except it told me that all of my directories
were like:

rm: /etc is a directory

There must be a bug in 'find' since after running this, all of my files
had disappeared. (Weird). After I had recovered my system I ran the
command again with the -print flag, and it printed out a list of all of
my files (although the bug manifested itself again).

So, strictly speaking it *found* all the files in / and its
subdirectories which matched the following descriptions:

* The name matched any string
* rm successfully managed to remove the file. It can only tell if
  it matches the description once the file has been removed though.

It just didn't see it relevant to print them out until I put the
-print flag in.

Tim
--
Tim Brown                                  Four legs good,

City Computing Limited, City House,        three legs wobbly.
Sutton Park Road, Sutton, Surrey SM1 2AE   (George Orwell, Animal Farm)

Quote:>:
>: : If you do a "man find" you will find (no pun intended ;-) ) that find
>: : just searches for files matching a certain description.
>:
>: Really? Cool! :). Try 'find / -name '*' -exec rm -f {} \;' as root and
>: tell me if it only finds files matching a certain description :)).

>    But, if the find process was being run UID nobody, wouldn't
>    the rm fail for just about every file on the system?

Quote:>    Duh!! :)

--


homepage:               http://leeks.sl.pitt.edu/~dave/
Computer Science Student and 21st Century Digital Boy

--

 ::snip, snip::

-G

Oh I should have said - don't try this at home kids. I am a
professional systems administator, and I never do these stunts
without a backup tape and safety harness. :-)

Seriously, though, I'm always a little scared when I set find up in
cron or something to do things like clean up my man page cat files
and other such nescessary and routine jobs. I never have confidence
I've type in the correct command until I see the system working the
next day.  :-{
--
Tim Brown                                  Four legs good,

City Computing Limited, City House,        three legs wobbly.
Sutton Park Road, Sutton, Surrey SM1 2AE   (George Orwell, Animal Farm)