Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Aug 2001 05:31:13 -0400 (EDT)
From:      Igor Roshchin <str@giganda.komkon.org>
To:        security@FreeBSD.ORG, stefanos@e-scape.net
Subject:   Re: Compromised system.
Message-ID:  <200108230931.f7N9VDX27439@giganda.komkon.org>
In-Reply-To: <200108231554.LAA96346@corp.e-scape.net>
next in thread | previous in thread | raw e-mail | index | archive | help 



You have some non-ASCII symbol in the name of the directory.
Use -b or -B options for the ls (read man pages on ls(1))
to see what "invisible" symbols participate in the name of the "extra"
directory.
Use that name to access the directory in question.

Igor

> From owner-freebsd-security@FreeBSD.ORG Thu Aug 23 05:25:58 2001
> To: security@FreeBSD.ORG
> Subject: Compromised system.
> Date: Thu, 23 Aug 2001 11:54:30 -0400
> From: Stefanos Kiakas <stefanos@e-scape.net>
>
>
> Hello,
>
> 	I was recently investigating a systems that may
> be compromised. The reason I say this is because of the
> following entries in the output of the ps -ax command.
>
>   PID  TT  STAT      TIME COMMAND
>     0  ??  DLs    0:04.35  (swapper)
>     1  ??  ILs    0:00.07 /sbin/init --
> 48474  ??  S      0:00.00 ./klogd
> 79612  ??  I      0:00.00 ./klogd
> 79613  ??  S     25:46.29 ./klogd
> 79623  ??  D    901:01.50 ./init 45 1103527590.log
>
>
> And the /tmp directory contains 2 . entries with approximately
> 92M in the second one.
>
> 123# cd /tmp
> 123# ls -al
> total 23
> drwxrwxrwt   3 root    wheel  512 Aug 23 16:39 .
> drwxr-xr-x   2 root    wheel  512 Aug  3 11:48 .  
> drwxr-xr-x  20 root    wheel  512 Apr  4 04:46 ..
>
> How do I access the second . directory to see what
> is in it? I have tried everything I can thing of but
> I cannot list any of the contents.
>
> Please cc me at stefanos@e-scape.net.
>
> Thank you,
>
> Stefanos Kiakas
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108230931.f7N9VDX27439>