<div>On 26/01/06, Billy Verreynne (JW) <<a href="mailto:VerreyB@telkom.co.za">VerreyB@telkom.co.za</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Peter Garrett wrote: == root@prospero:/dev # fuser .static/dev/* .static/dev/fd: 25148 .static/dev/stderr: 22529 25134 25148 .static/dev/stdin: 22529 25134 25148 .static/dev/stdout: 22529 25134 25148 == Ditto. That is what I see to. Brian, it is not a great idea deleting stuff in /dev. However, the /dev tree can be rebuild use /dev/MAKEDEV. But this script differs from distrib to distrib so better manpage it before trying it. Hmm.. also maybe a good idea to do this at the console after having booted into single user mode. netstat and lsof also may be interesting for you as a trojan will surely attempt network access - listening on a UDP ot TCP port...? </blockquote></div> Yes - here is what I have 1. currently listening on 27665 is trojan trinoo_master. (UDP idle scan using nmap) 2. rebooting netstat -tlp shows udp ports open and listening on 8265, 8218 and 8419. 3. fuser shows that the directory /dev/.static/dev/ is NOT a directory, at least, it is not the directory I think it should be I will boot from Penguin sleuth and see more details, before deleting the /dev/.static/ directory, then (if I can reboot!) recheck as before. On googling for trinoo_master, I see very little about what to do, where the beast hides, and therefore not much can be done to remove it. Having done a clean install I still find traces of the beast. Therefore, tracking down the beast's lair and destroying is the way forward. So far, there is no report that I know of to say where we can likely find the lair. My supposition is that trinoo_master lurks in this seemingly correct directory, and is therefore an ongoing threat to my computer. Follow-up later! Brian