From owner-freebsd-security@FreeBSD.ORG Fri May 9 06:45:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF29C37B401 for ; Fri, 9 May 2003 06:45:58 -0700 (PDT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0509443FA3 for ; Fri, 9 May 2003 06:45:58 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (zaphod2.sarenet.es [194.30.32.23]) by sollube.sarenet.es (Postfix) with ESMTP id 48F96982C99; Fri, 9 May 2003 15:45:56 +0200 (CEST) Date: Fri, 9 May 2003 15:46:35 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Peter Elsner From: Borja Marcos In-Reply-To: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 13:45:59 -0000 > Notice the f in place of the date? What does that mean? Perhaps someone has installed a different ls command (and, presumably, others). Try doing "truss ls" to see if it is reading any sort of strange file. Rootkits use to have configuration files hidden in weird places. Borja.