Ok.... so im not new to linux at all... but im not an expert.... I cannot seem to figure out how the guy did it. I had a hacker in my system who was running iroffer. I patched up the backdoor and everything, but the thing that is bothering me is the place were he put his iroffer files. He placed them in "/var/tmp/.. /". the thing is when I do cd /var/tmp/.. / it takes me to /var/ . Why? well because ".." represents going back a dir... so from /var/tmp its telling the computer to go back one dir to /var/.... i can cd /var/tmp and do ls -a and see ". .. .. " wich tells me that there is a dir named ".." because in listing should only be one of the TWO dots. Also in ps x i traced the filename to that dir. Any ideas how I can get into that dir? i tried quotes and everything. cd "/var/tmp/.. /" and nothing. I am using centos

I would try using WinSCP from http://winscp.net . It has a graphical interface and you *should* be able to open the directory by clicking on it. I can not guarantee it will work, I do not use the progam very much.

cd '/var/tmp/.. ' should work. If it doesn't, try putting a backslash in front of the cd - ie \cd as an alias or function may be causing the directory to be expanded twice. If that fails, try putting two sets of quotes around the directory name, ie cd "'/var/tmp/.. '".

If that doesn't work, go into vi and try :cd /var/tmp/. and use the tab key until you get the directory name and press enter, then run :shell <enter>.

In alot of cases its just a cracker who was able to crack your password then the upload a key that way they allways have access so just remimbers jondoe1902 is a bad pass, HR^H%THJH$%&^^$%&UU%U%Y%Y^$NY is a good pass !!

I know its a bit late, but I have a script that will check the ssh logins and ban ips that have attempted to hack into the server with bad passwords.

Even with crazy secure passwords you don't stop the hacker from trying to guess. I have had several machines slow down and even lock me out because of several login attempts per second for extended periods of time.

The script I wrote will check the ssh log and lock out any ip that has failed a specified number of times.

Its one script, its free and it could save you a load of hassles.

Another note on passwords, is that your clients are the worst security risk. Since their passwords are usually the same as the username or something simple. Even with a secure server a dictionary attack can still guess some passwords.

If you need a quick and easy patch download the script at http://bumblebeeware.com/sshlogcheck/

I also have some other cool scripts there like server monitoring and a great captcha. I hope you find it useful.

The /tmp directory is where most backdoors or hackers put things they don't want you to see, there is a few programs that can scan your system and find programs such as IROFFER or alike .