-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning all. I was wonder if I could get some help on a possible intrusion analysis. Recently I discovered some interesting things on a RH Linux 6.2 box. in /dev: /dev/.w /dev/.c /dev/.cmd in /etc/inetd.conf: 6968 stream tcp nowait root /bin/sh sh -i 2121 stream tcp nowait root /usr/sbin/tcpd in/telnetd in /etc/passwd: cmd:x:0:500::/dev/.cmd:/dev/null command:x:500:501::/dev/.c:/dev/null wizards:x:501:502::/dev/.w:/dev/null This is all I can find that is wierd (translate- "I don't recognize"). Dones anyone recognize these entries? Is this a possible rootkit? The /dev/ homes and cmd UID of 0 give me that impression. Any help would be greatly appreciated :-) - - -- Kip Perkins Systems Administrator NIC - TennesseeAnytime.org office 615.313.0312 Live as you want your children to -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7JkW0L1ei/5O2f1gRAqlYAJ9KgrX+CgH3W8j1TSpHyVOxoBLvaQCfe0oE sc3PMPQLxUZU0qFueODNqb0= =vqf9 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 16:39:30 PDT