On Sat, Jan 20, 2001 at 07:20:52PM +0100, Igor Mozetic wrote: :I've noticed three strange files in /root dir: : :host:~# ls -al /root :-rw-r--r-- 1 root root 1024 Jan 5 11:20 ..hwm :-rw-r--r-- 1 root root 214184 Jan 5 11:20 ..pwd :-rw-r--r-- 1 root root 11356 Jan 5 11:20 ..pwi : :..pwd is ascii with a lot of control chars in it, the other :two are binaries. Is this a side product of running some :program or maybe some break-in leftover?
I vote for break-in I can think of no legitimate programs that create double dot files (did sombody thik this would make them harder to see???) a couple of things to do: run "strings" on the binary files, some times you can figure out what they are this way. do a "netstat -tap|less" as root this will show all(-a) active tcp(-t) connections and listening sockes and the processes (-p) that own them do a "find /dev -type f" this will find any regular files in /dev, there shouldn't be any they're all device special files (except the MAKEDEV script which may be a regular file but on current debian systems is a symlink to /sbin/MAKEDEV and not a regular file) look at /etc/inetd.conf some backdoors are put in this file (usually at the end) It would be best to copy over known good versions of find and netstat as these may be trojaned (find usally isn't netstat often is) -Jon