Security Incidents mailing list archives
/dev/^Madereet
From: sean_martin () USA NET (Sean Marin)
Date: Fri, 9 Jun 2000 08:26:37 MDT
It seems like my computer has been compromised (RH 5.2). When I (For fun) straced the binary "ps"; I noticed that it read from a file (.processes) located in /dev/^Madereet, and stripped the output of the proces list normally created by ps, from the conent of the file. When replacing "ps", I noticed that the program "ttymon" had been launche d in the background. Any ideas what this program do? There are no "strange" addition or "proofs" in the log files located in /var/log/ It's all just a dead end. Im thinking of reinstalling this computer now, since other programs can have been infected aswell. --- Sean Martin (sean_martin () usa net) ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- /dev/^Madereet Sean Marin (Jun 09)