[CentOS] I appear to be attacking others
James Pifer
jep at obrien-pifer.com
Sun Feb 5 08:46:09 UTC 2006
> >
> > How do I tell where these executables are? And when I find them, how do
> > I runs strings on them?
>
> Find one of the processes that's still alive and do "ls -l /proc/<pid>".
> That will give you some info about it. The exe entry should be a link to
> the executable itself.
Well, I get:
ls -l /proc/6446
total 0
dr-xr-xr-x 2 hotmail hotmail 0 Feb 5 03:40 attr
-r-------- 1 hotmail hotmail 0 Feb 5 03:40 auxv
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 cmdline
lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 cwd -> /dev/shm/.. /nt
-r-------- 1 hotmail hotmail 0 Feb 5 03:40 environ
lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 exe -> /dev/shm/.. /nt/f
dr-x------ 2 hotmail hotmail 0 Feb 5 03:39 fd
-rw-r--r-- 1 hotmail hotmail 0 Feb 5 03:40 loginuid
-r-------- 1 hotmail hotmail 0 Feb 5 03:40 maps
-rw------- 1 hotmail hotmail 0 Feb 5 03:40 mem
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 mounts
lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 root -> /
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 stat
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 statm
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 status
dr-xr-xr-x 3 hotmail hotmail 0 Feb 5 03:40 task
-r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 wchan
Here's an ls -al on /dev/shm
ls -al /dev/shm
total 0
drwxrwxrwt 3 root root 60 Feb 2 19:27 .
drwxr-xr-x 8 root root 5700 Jan 18 09:26 ..
drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 ..
Sorry for my ignorance, but I'm still not finding the executable. Guess
I don't understand the symlink.
Also, does this mean that I was compromised on Feb 2?
Thanks,
James
More information about the CentOS
mailing list