/dev/^Madereet

[sean_martin () USA NET (Sean Marin)]

It seems like my computer has been compromised (RH 5.2).

When I (For fun) straced the binary "ps";

I noticed that it read from a file (.processes) located in /dev/^Madereet, and
stripped the output of the proces list normally created by ps, from the conent
of the file.

When replacing "ps", I noticed that the program "ttymon" had been launche d in
the background. Any ideas what this program do? 

There are no "strange" addition or "proofs" in the log files located in
/var/log/

It's all just a dead end.

Im thinking of reinstalling this computer now, since other programs 
can have been infected aswell.

---

Sean Martin (sean_martin () usa net)

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1