# Strange files after installworld



## max21 (Jan 19, 2017)

I just completed installkernel and installworld.  This is a FreeBSD 11.0-p7 Virtualbox guest.  So I decided to look in the var/tmp and tmp to make sure that the tmproot directory was removed.  It was, but I found these two files inside the tmp slice.  I never seen this before in any previous version of FreeBSD.  Would anyone know what these files are for? Is this something new for FreeBSD-11 or do they show up in previous versions that I miss such as 10.3?  Are they harmful?

```
ecp.DZrsP4xa
ecp.yuIHZQZU
```


----------



## max21 (Jan 19, 2017)

Somebody somewhere is personally trying to destroy FreeBSD experience.  I don't fear lions, tigers or bears, I just want to know how far can they can go.

This been going on since November 24, 2016 and he finally got me _near-completely_  last week.  The _best thing of all_ it ALL happen before my very eyes in the wee hours of the morning while fighting sleep and I watch every step, _this time_.  It’s all in bytes and cyber-space on somebody machine out there.

How he got in I may never know but one thing for sure::  he sorted furiously through my Windows Task Manager as I was watching (lines switching up and down) … then he immediately the turn off my third-party firewall… Then KA-_POW_-wee I guest.  I did not even know the consequences until I shutdown everything and rebooted the machine.  Other than that, everything was running perfectly.  I know, because I checked all running VM and HOST - - risking the fact that man/chick-was-aboard … but I seen part of this before but had shutdown just in time.  So that is how they linger and watch you do your banking, steal your passwords.  Because after reboot you would think your MBR or HDD was complexly corrupted, especially when all DUEL-BOOT partitions shows the same WORM.  I certainly did, than I remember what ARCH was there for.  The strangest thing was;  I could not use the ARCH cd to even wipe a partition, but the one on the same hard drive took care of everything.  I RECOVERED!  Go Figure.

And this was not the first time.  I guest since I have nothing personal in the Windows-XP or was not at checking my BALANCE, he figure *I’ll just to just buck-him-up* to delay my advancement(s).  This person wants to see me fail.  I take it personally.

I only use windows to surf with 60 -99 open windows in portable-opera’s.  So I thought if you going to screw something let Windows take the grunt.  That VM always survive since 2008.  I’m so happy to have witness this and I can proudly say, PLEASE come again.  No more starting over for me now that you have shown me the light *how far can your virus go . . Evidently, not to far here*.  I am going to keep what I got and some day soon I will find the rest of that that disabled virus/worm within the Virtualbox install with your name on it, if not below!  I wish to accommodate you.  Maybe this will help you try again … I never update my FreeBSD hosting desktop.

From there, I’m going to sail the seven-seas of cyber-space until I find you.  I will then turn you over to the FreeBSD authority and the NSA.  The trade off will be *they will lock you up in a jail in my neighborhood* where I can visit you, quite often, like BUSH did … but that was nothing more than a family feud. 

For those who know me and my setup, I found this in ALL three FreeBSD primary, while trying to recover … at boot (ada0s1a, ada0s2a,ada0s3a).  But he could not touch the 2gb ARCH & SWAP partition which I use for recovery in case of a disaster like this.  After all these years it really paid off. I did not even have to use one of my other backup HDD.  ARCH help me do it all from with-in (backup’s) on same HDD.

And more good news!  He could not TOUCH any of my 21 DOS and NTFS partitions, what-so-ever.  And to put the icing on the cake: he could not touch my so-called extended-partitions for FreeBSD (ada0s2d-ada0s2h and ada0s3d-ada0s3h) where I put my jails and such.  All I had to replace was ada0s1, ada0s2a and ada0s3a.

So this prove that if they hack FreeBSD hosting Virtualbox it is mostly likely through a Windows guest, and not a well configured Linux or FreeBSD guest.  But I’m going to give my Windows-XP many more chances to exist.  He’s my best Windows ever … he BUSTED your game.  Question is did it leak into my spanking brand-new vBOX FreeBSD install and then buildworld?  I did not check until after buildworld. Never thought to do that before.  I’m glad I did.

Thank you for showing me how FAR the best of any hacker can go, especially on my HDD.  IMO you blew the show for all the hackers around the world who tangle with My FreeBSD.

If this make any since then at least we all got a clue!  It would be foolish for me not to say anything.
. . . . . . . .
. . . . . . . .
Ok, I rebooted this spanking brand new FreeBSD-11.0_p7 VM after buildworld.  Something told me to check the tmp directoies and this is what I find:  QUESTION – how far can this go and how did linux get in the buildworld picture.  I use no make.conf.  So evidently, the worm is still in Virtualbox on MY host, not yours.  I typed this out by hand before I lost them as exectionable files after I moved them. 

```
ee /tmp/ecp.DZrsP4xa
Jan 19 09:34:16 max22 login: ROOT LOGIN ON ttyv1^@^@^@^@^@^@^@^@^@^@^@0^^A^@^@^@ ^D^@
^@^@^@^@^@^R^@^K^@^T^@^@^@^@^D^@^@^@^@^@^@^R^@^K^@^@linux32_rt_si^@^@^@`^@
^@^K^@^@^@^P^@^@^@oA^@^o^B^@^@^@o^A^@^@^@^@^@^@^@^@^@
```

The other one starts with the word ELF then a bunch of @ but when I copied it to quarantine it else where it did not open under the FreeBSD VM.  So I copied it to USB, then to the Windows VM and under notepad it expanded to a full-blown executionable file.  So this one may do the same.  Don’t play with it unless you know whats whats.  Here is the name.

```
ecp.yuIHZQZU
```

Now to the nitty-gritty: A weeks ago was when he got me.  All line in all three duel-boot FreeBSD had this mess in it. It is too much to type them all:

```
[]^[[2~^Starting Cron.^[[2~^^[[2~^[[~[[Starting background files….
```

I also play with the hacked drive for a full day and found this buried somewhere.  Can’t remember right now:

```
[b][KUB<Tt@^R^Gn%][/b]
```

Sorry for all the talk.  I just want to have a little fun as I retrace things.   BTW, is this what they call a virus signature?  Can this lead me to the hacker crib, so to thank him


----------

