From owner-freebsd-security Thu Aug 23 2:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from corp.e-scape.net (corp.e-scape.net [216.13.52.6]) by hub.freebsd.org (Postfix) with ESMTP id D641937B401 for ; Thu, 23 Aug 2001 02:25:38 -0700 (PDT) (envelope-from stefanos@e-scape.net) Received: from corp.e-scape.net (localhost.e.scape.net [127.0.0.1]) by corp.e-scape.net (8.9.3/8.9.3) with ESMTP id LAA96346 for ; Thu, 23 Aug 2001 11:54:30 -0400 (EDT) (envelope-from stefanos@corp.e-scape.net) Message-Id: <200108231554.LAA96346@corp.e-scape.net> To: security@freebsd.org Subject: Compromised system. Date: Thu, 23 Aug 2001 11:54:30 -0400 From: Stefanos Kiakas Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I was recently investigating a systems that may be compromised. The reason I say this is because of the following entries in the output of the ps -ax command. PID TT STAT TIME COMMAND 0 ?? DLs 0:04.35 (swapper) 1 ?? ILs 0:00.07 /sbin/init -- 48474 ?? S 0:00.00 ./klogd 79612 ?? I 0:00.00 ./klogd 79613 ?? S 25:46.29 ./klogd 79623 ?? D 901:01.50 ./init 45 1103527590.log And the /tmp directory contains 2 . entries with approximately 92M in the second one. 123# cd /tmp 123# ls -al total 23 drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. How do I access the second . directory to see what is in it? I have tried everything I can thing of but I cannot list any of the contents. Please cc me at stefanos@e-scape.net. Thank you, Stefanos Kiakas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message