[CentOS] I appear to be attacking others

[James Pifer]

> > 
> > How do I tell where these executables are? And when I find them, how do
> > I runs strings on them?
> 
> Find one of the processes that's still alive and do "ls -l /proc/<pid>".
> That will give you some info about it. The exe entry should be a link to
> the executable itself.


Well, I get:

ls -l /proc/6446
total 0
dr-xr-xr-x  2 hotmail hotmail 0 Feb  5 03:40 attr
-r--------  1 hotmail hotmail 0 Feb  5 03:40 auxv
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:39 cmdline
lrwxrwxrwx  1 hotmail hotmail 0 Feb  5 03:40 cwd -> /dev/shm/.. /nt
-r--------  1 hotmail hotmail 0 Feb  5 03:40 environ
lrwxrwxrwx  1 hotmail hotmail 0 Feb  5 03:40 exe -> /dev/shm/.. /nt/f
dr-x------  2 hotmail hotmail 0 Feb  5 03:39 fd
-rw-r--r--  1 hotmail hotmail 0 Feb  5 03:40 loginuid
-r--------  1 hotmail hotmail 0 Feb  5 03:40 maps
-rw-------  1 hotmail hotmail 0 Feb  5 03:40 mem
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:40 mounts
lrwxrwxrwx  1 hotmail hotmail 0 Feb  5 03:40 root -> /
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:39 stat
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:39 statm
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:39 status
dr-xr-xr-x  3 hotmail hotmail 0 Feb  5 03:40 task
-r--r--r--  1 hotmail hotmail 0 Feb  5 03:40 wchan


Here's an ls -al on /dev/shm
ls -al /dev/shm
total 0
drwxrwxrwt  3 root    root      60 Feb  2 19:27 .
drwxr-xr-x  8 root    root    5700 Jan 18 09:26 ..
drwxr-xr-x  3 hotmail hotmail   80 Feb  2 19:28 ..

Sorry for my ignorance, but I'm still not finding the executable. Guess
I don't understand the symlink. 

Also, does this mean that I was compromised on Feb 2?

Thanks,
James