Re: extra .. folder in /dev
"Wesley A. Wannemacher" wrote:
>
> Help (if it is not too much trouble).
>
> I have a Linux machine that has been recently
> rooted. I have found many strange things on the
> hard drive of the server. when doing an 'ls -la'
> in the /dev folder I see the following:
>
> drwxr-xr-x 7 root root 34816 Sep 1 14:27 .
> drwxr-xr-x 20 root root 1024 Sep 1 14:34 ..
> drwxr-xr-x 3 root root 1024 Jul 15 11:22 ..
> -rwxr-xr-x 1 root root 26450 Apr 17 1999 MAKEDEV
> -rwxr-xr-x 1 root root 1598 Apr 19 1999 MAKEDEV.ibcs
> lrwxrwxrwx 1 root root 4 Jun 11 1999 X0R -> null
> lrwxrwxrwx 1 root root 8 Jun 11 1999 arp -> inet/arp
> crw-rw-r-- 1 root root 10, 3 May 5 1998 atibm
> crw-r--r-- 1 root sys 14, 4 Apr 17 1999 audio
>
> Why is there an extra '..'? There was also a
> '...', but I have deleted it. How should I go
> about deleting the extra '..'? I am kinda new,
> so any help is appreciated, I can post any other
> information needed.
>
> Thanks
> ____________________________________
> Wesley A. Wannemacher
> Instructor, Network Administrator
> University of Northwestern Ohio
> wawannem@nc.edu
> ____________________________________
>
I probably won't be the first to tell you this, but it's highly likely
your box has been cracked and compromised. I would look into taking it
off of your network ASAP (and probably taking all your other boxes down
as well and checking for similar directories). You can look in the
directory with cd ".. "
Making a directory called ".. " is a standard hack hiding directories
you don't want people to find. I'd say take the box down and write it
out to CD or something and do a completely fresh install and take a
harder look at your security setup (Tripwire would be useful).
--
Matthew H. Ray
Programmer, Coral Technologies, Inc.
mray@coral-tech.com
Reply to: