On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes <tdukes at sc.rr.com> wrote: >> > Today, I found upd.pl in my tmp directory. The date was oct 09. I >> > also found my /etc/passwd and /etc/shadow had been changed >> with a user >> > of 0Profile added. I deleted the old files and restored those from >> > backup. I ran my chkrootkit and installed mod_security. >> SSH is not >> > running so I don't know how this happened. >> >> Perhaps your system is not as simple as you think it is. ;-/ >> >> --keith > > > Thanks, Keith! > > Guess I'd better brush up on my vi commands in case I have to boot from a > rescue disk. :-) All you need is [Esc]q! :) > > Just guessing here, but to do this, I need to add: > > tmpfs /tmp tmpfs size=100M,mode=0755 0 0 > To my /etc/fstb and cross my fingers? I would make it a little bigger as 100M depending on how much memory you have. And the mode should be the same as /tmp would normally be => mode=777 :) If you have been hacked, like it seams you have, you should first find out how the guy got in. Do you have a webserver running? Firewall enabled? Then just to be safe I would always reinstall as you never know what he might have done. Then you can modify the tmp in fstab Cheers Didi -- My www page: www.ribalba.de Email / Jabber: ribalba at gmail.com Skype : ribalba