Puzzle of the Day

Your UNIX system has been attacked. The uucp entry in your /etc/passwd file has a UID of 0. You have run ps to see if any unusual processes were executing. None were. You ran ls to find any unusual files or directories. None were reported. You ran du to determine if the size of any file system was unusually large (indicating hidden files). Nope.

You suspect that someone has, somehow, hidden files (or directories) and an executing process. You decide to start at the /dev directory, to see if they created any new device files. Again, an ls lists only those files you expect to see. But you are still suspicious, and want to confirm the results.

  1. What would you do?
  2. You still suspect that the attacker left an illicit process executing. But ps showed nothing. How would you confirm or refute your suspicion?

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to cs153@csif.cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 11/24/98