Dear All, I am investigating a Linux box which has been compromised (possibly via the crc32 OpenSSH hack). Searching around for recently added files threw up the directory: /usr/X11R6/bin/ /ksh - note the space before the /ksh. ls would not show up this directory (not sure why?), but it contains lots of interesting stuff: ./ /ksh ./ /ksh/exploits ./ /ksh/exploits/solx86_bind ./ /ksh/exploits/tsl_bind ./ /ksh/exploits/linx86_bind ./ /ksh/exploits/rdc-lprng ./ /ksh/exploits/rpc.statdx ./ /ksh/exploits/rpc.cmsd ./ /ksh/exploits/teso-nxt ./ /ksh/exploits/wuftpd-2.6-teso ./ /ksh/exploits/seclpd ./ /ksh/exploits/ptrace24 ./ /ksh/exploits/e2p ./ /ksh/exploits/samba.sh ./ /ksh/exploits/x2 ./ /ksh/exploits/x2_crk ./ /ksh/dsniff/webspy ./ /ksh/dsniff/tcpnice ./ /ksh/dsniff/urlsnarf ./ /ksh/dsniff/libssl.a ./ /ksh/dsniff/libcrypto.a Can anyone tell me how this directory structure was created? Is it related to a known hack? Thanks in advance. Andy.