On Sat, 2009-06-13 at 00:19 -0700, Linux Advocate wrote: > <snip> > > > > Note that /dev/shm is a tempfs file system. It will be dynamically > > populated. I would expect the attack vector still resides on your system > > somewhere else. > > > > > i m looking for it bro...the machine is disconnected frm the net but i have not formatted it yet... i really need to know how it happened.... Have you run the rpm with the --verify? You'll need to get another option or two to get it to give more verbose information. It occured to me too that find file not providfed by any package might give some clues (although most of what it may return will not be problems). If you get a list of all file (use find so even "hidden" ones appear) and then use rpm to find out --whatprovides you should get a bunch - some user and a few not user files. These become candidates for further inspection. There's always going to be a few that are not from a package but are OK. Good luck on your detecting. <snip sig stuff> -- Bill