Hi,

At my place of work, we were hit by some crackers, and they placed movies, copywrite material, and all that good stuff that we can get in trouble for. We finally found out because someone told our ISP that we were distributing their material, and we quickly found it and took it off. The thing is, they kept doing other stuff to our system like uploading more files and sending out spam. We kept getting rid of these files, and finally today we came accross a hidden .config directory which contained a ssh. What I am wondering is how were they able to hide it from Root? We were able to see everything else in this directory but that .config directory. Also, any advice on how to set up a honeypot to find out where they are connecting from?

Thanks ahead of time.