On Sat, Jan 20, 2001 at 07:20:52PM +0100, Igor Mozetic wrote: > I've noticed three strange files in /root dir: > > host:~# ls -al /root > -rw-r--r-- 1 root root 1024 Jan 5 11:20 ..hwm > -rw-r--r-- 1 root root 214184 Jan 5 11:20 ..pwd > -rw-r--r-- 1 root root 11356 Jan 5 11:20 ..pwi > > ..pwd is ascii with a lot of control chars in it, the other > two are binaries. Is this a side product of running some > program or maybe some break-in leftover? > as others have said you have almost certainly been compromised. just as a sidenote that nobody has mentioned this is a good reason to alias ls to ls -A for root. this way every listing always includes .dotfiles. BSD ls does this automatically when your uid == 0. it won't stop someone from replacing ls to not show certain .dotfiles, or altering your /root/.bashrc but every bit helps. (not every rootkit/kiddie/cracker is 100% thorough) -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpmNGPGWSjtV.pgp
Description: PGP signature