John Hinton wrote: > James Pifer wrote: > >> On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote: >> >> >>> James Pifer wrote: >>> >>>> On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote: >>>> >>>>> Can you do an "ls -lah /dev/shm/..\ /"? >>>>> >>>> Yep, I get: >>>> >>>> drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt >>>> >>> And now please the contents of this directory ... >>> >> >> >> Contents are: >> >> # pwd >> /dev/shm/.. /nt >> # ls -l >> total 76 >> -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f >> -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c >> -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log >> -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass >> -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README >> -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s >> -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users >> >> James >> >> > You might want to do a ls -al on that directory, as I've seen hackers > use hidden files or directories which don't show using just -l. Also, > you might want to take a look in the usual suspects, like /tmp.. > /var/tmp.. again, ls -al to see if you can find anything perhaps left > for later use. > > Gee.. ain't it fun? Lot's of good advice. I'd also check for rootkits. There are a couple of "rootkit checkers" available. You just download the source and compile/execute them. I've used this one with some success to de-louse a friend's game server: http://www.chkrootkit.org/ It's also a good practice to disconnect a suspect machine from the net and do your hacking from the console if you suspect it's been burgled. That way, it's not actively hosing other people while you're troubleshooting the problem. 8-) That is...unless you've got the skills to track the burgler back to their hideout..... Cheers,