Before I have seen hackers make a directory from a non-printable character, and hide things in that directory, at the time they used alt+0253 i.e. /�/ which at the time was non-printale when you did an ls or a cd. This is a possibility for your system. I beleive chkrootkit does a recursive search of your disk and has found these files. But adter reading you message again, I notice this is in the history files, which could suggest that the person that these commands were in ran a script with a [root] key, and a [path] key which both included / ? I dunno. Gareth > Message: 2 > Date: Mon, 10 Sep 2001 12:15:38 -0400 > From: enrique <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [cobalt-security] Chkrootkit Report Warning > Reply-To: [EMAIL PROTECTED] > > I have a concern with the report I received this morning from > chkrootkit. It is a warning about shell history files dealing with "//." > I don't understand why I would have a double slash directory listing. > Can anyone give me an idea? Below is a partial listing from the report: > > Searching for anomalies in shell history files... Warning: `//var/tmp > //var/log/httpd > //var/spool/mail/kfarley > //etc/localtime > //etc/rc.d/init.d/pmfirewall > //etc/rc.d/init.d/webmin > //etc/rc.d/rc0.d/K90mysql > ... > > Could this be a hacked secondary file system? > > enrique _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
