On 30/11/2007, <b class="gmail_sendername">B.J. McClure</b> &lt;<a href="mailto:keepertoad@verizon.net">keepertoad@verizon.net</a>&gt; wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">



  
  

<div>
Sad to say one of my file servers was exploited and used to run a Phishing scam.&nbsp; Have identified subject virus amongst other things.&nbsp; It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description.&nbsp; The latter file is also present in identical uninfected machines.&nbsp; I have been unable to open the file, even with root privileges, although it appears to be a text file.&nbsp; Any suggestions on how to proceed appreciated.&nbsp; Guess I could delete it and copy over the file from an identical machine.
</div></blockquote><div><br>Is SE Linux enabled on your system?<br>If this is an ext2/ext3 filesystem - look at &quot;lsattr&quot; and friends.<br>fuser(1) on that file and/or monitoring it using something base on inotify(7) might reveal which process has it open or uses it.
<br></div><br>Hope this gives you some useful direction.<br><br>--Amos<br><br></div>