In article <[EMAIL PROTECTED]> you write: > > Then they typically use a "rootkit" to get root access and replace files, >just as you've seen. "ls" is usually the first one they hack.
Thanks to all for the good advice, I'm using this as an excellent excuse to upgrade my creaky 486 and start over with a whole new system and a whole new machine. Rooting around on rootshell.com, it's possible that the cracker got in through wu-ftpd. I'd noticed some odd things in the logs before, and there were two times that my root partition had filled up for no discernable reason. A classic sign of system compromise, I understand. Both my ls and du executables were replaced by bogus versions, which is why it took me a week to figure out what had happened. Yeah, some weird things were happening, but one hates to get paranoid, you know. Regards, -Don -- .sig lite
