From owner-freebsd-security  Thu Aug 23  7:42:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from blinx.net (ns2.blinx.net [205.205.72.1])
	by hub.freebsd.org (Postfix) with SMTP id 3180E37B409
	for <security@freebsd.org>; Thu, 23 Aug 2001 07:42:43 -0700 (PDT)
	(envelope-from wacky@blinx.net)
Received: (qmail 12069 invoked from network); 23 Aug 2001 14:42:38 -0000
Received: from ce3021279-a.montvlle1.ct.home.com (HELO home) (@24.180.62.220)
  by www.blinx.net with SMTP; 23 Aug 2001 14:42:38 -0000
Message-ID: <00c701c12be0$ae04bfa0$0700a8c0@com.home.com>
From: "Mike" <wacky@blinx.net>
To: <security@freebsd.org>, "Stefanos Kiakas" <stefanos@e-scape.net>
References: <200108231554.LAA96346@corp.e-scape.net>
Subject: Re: Compromised system.
Date: Thu, 23 Aug 2001 10:34:12 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Try doing, cd "./" or "." or "/." one of those.

----- Original Message ----- 
From: "Stefanos Kiakas" <stefanos@e-scape.net>
To: <security@freebsd.org>
Sent: Thursday, August 23, 2001 11:54 AM
Subject: Compromised system.


> 
> Hello,
> 
> I was recently investigating a systems that may
> be compromised. The reason I say this is because of the
> following entries in the output of the ps -ax command.
> 
>   PID  TT  STAT      TIME COMMAND
>     0  ??  DLs    0:04.35  (swapper)
>     1  ??  ILs    0:00.07 /sbin/init --
> 48474  ??  S      0:00.00 ./klogd
> 79612  ??  I      0:00.00 ./klogd
> 79613  ??  S     25:46.29 ./klogd
> 79623  ??  D    901:01.50 ./init 45 1103527590.log
> 
> 
> And the /tmp directory contains 2 . entries with approximately
> 92M in the second one.
> 
> 123# cd /tmp
> 123# ls -al
> total 23
> drwxrwxrwt   3 root    wheel  512 Aug 23 16:39 .
> drwxr-xr-x   2 root    wheel  512 Aug  3 11:48 .  
> drwxr-xr-x  20 root    wheel  512 Apr  4 04:46 ..
> 
> How do I access the second . directory to see what
> is in it? I have tried everything I can thing of but
> I cannot list any of the contents.
> 
> Please cc me at stefanos@e-scape.net.
> 
> Thank you,
> 
> Stefanos Kiakas
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message