On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote: > James Pifer wrote: > > > > > Find one of the processes that's still alive and do "ls -l /proc/<pid>". > > > That will give you some info about it. The exe entry should be a link to > > > the executable itself. > > > > > > > ok, I found it. Now what? You said run strings? I get: > > Multi-thread FTP scanner v0.2.5 by Inode <inode at wayreth.eu.org> > > That looks like the ftp scanner which can be found at > <http://wayreth.eu.org/> - somebody is probably using your box to find > insecure ftp servers for sharing files. > > Can you do an "ls -lah /dev/shm/..\ /"? Yep, I get: ls -lah /dev/shm/..\ / total 24K drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 . drwxrwxrwt 3 root root 60 Feb 2 19:27 .. drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt -rw-r--r-- 1 hotmail hotmail 24K Feb 2 19:27 nt.tar.gz James