How do I tell where these executables are? And when I find them, how do I runs strings on them?
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
Well, I get:
ls -l /proc/6446 total 0 dr-xr-xr-x 2 hotmail hotmail 0 Feb 5 03:40 attr -r-------- 1 hotmail hotmail 0 Feb 5 03:40 auxv -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 cmdline lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 cwd -> /dev/shm/.. /nt -r-------- 1 hotmail hotmail 0 Feb 5 03:40 environ lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 exe -> /dev/shm/.. /nt/f dr-x------ 2 hotmail hotmail 0 Feb 5 03:39 fd -rw-r--r-- 1 hotmail hotmail 0 Feb 5 03:40 loginuid -r-------- 1 hotmail hotmail 0 Feb 5 03:40 maps -rw------- 1 hotmail hotmail 0 Feb 5 03:40 mem -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 mounts lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 root -> / -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 stat -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 statm -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 status dr-xr-xr-x 3 hotmail hotmail 0 Feb 5 03:40 task -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 wchan
Here's an ls -al on /dev/shm ls -al /dev/shm total 0 drwxrwxrwt 3 root root 60 Feb 2 19:27 . drwxr-xr-x 8 root root 5700 Jan 18 09:26 .. drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 ..
Sorry for my ignorance, but I'm still not finding the executable. Guess I don't understand the symlink.
Also, does this mean that I was compromised on Feb 2?
Thanks, James