Ok so i`l try to be up to point , i have recently been hacked , the "hacker" who penetrated me has been wondering trough my system for quite a while , he didn`t make to much damage but he ran some IRC Bots , the thing is i successfully got rid of him and patched my system .. the thing`s he left behind made me wonderer, some interesting folders 'hidden' that i couldnt get in . like i now that
drwxr-xr-x 2 test wheel - 68 Mar 26 21:43
drwxrwxrwt 30 root wheel - 1020 Apr 12 12:58 .
the first dir is made with " " or ".." or ". " , there are lots simple , but i found some more elaborated dirs .. like in one it was a simple ..\ but i couldnt get it.. i know i can try a file manager like MidNight Commander , but lets say i don`t have it .. how do i see all the folders (hidden ones) and not the ls -a way .. like to se the full path ..

did not get you properly. You wanna say that the hacker has created some hidden folders in your file system. then why you dont want to look at these folders using
ls -a
command. please elaborate your question and tell us what are the names of those folders which you wanna delete.

Without a read-only snapshot on a medium like CD or something using an IDS, i don't think there's a very reliable way to check what is and isn't compromised on your system, i would re-install and harden it straight away.

For example your ls executable could be compromised not to show files in those folders

ok so i found in /tmp these dirs
drwxr-xr-x 2 test wheel - 68 Mar 26 21:43
drwxr-xr-x 2 test wheel - 68 Mar 26 22:01 ..\
drwxr-xr-x 2 test wheel - 68 Mar 26 22:30 .,
drwxr-xr-x 2 test wheel - 68 Mar 26 22:54 ...
drwxrwxrwt 30 root wheel - 1020 Apr 12 12:58 .

found out that in first dir drwxr-xr-x 2 test wheel - 68 Mar 26 21:43 (the blank one) you get in with cd " " now in ., dir it`s simple ., no quotes or anything the 3 dots are simple to ... but ..\ how do i get in there ? how can i find out what cd syntax is needed to get in that folder. and i researched that some dirs may be like " " numerous spaces between the quotes. hot do i see the full path (letters numbers quotes) of the dir. thanks for ya replies !

ok so it proves that i`m realy a n00b .. a simple ls --help could have sorted my out.. like to see directoryes more elaborated using ls -am could sort the dirs separated by comma so you can see a bitt of the dir`s name like i foud out that the ..\ was made trugh mkdir "..\ " using ls -am showd me ., .., ..\ , there fore it`s a space at the end of the \ pain simple but got me little bit concerned

I was about to suggest you to use "ls -qQ" which gives you a listing with double quotes around the names and print a question mark (?) instead any control chars in the filename.

The result is about the same you get with the "m" option.

If your system's been compromised, especially with the root account, generally the first order of business is to remove it from the net and reinstall. As has been mentioned above, who knows what else has been tampered with.

Just my $0.02

Using "hidden" and obscured filenames (... or ../ etc) is a pretty standard cracking trick and should raise a red flag anytime you see them. /tmp is usually world wrx on most systems, so finding cracker files there is pretty standard too.

What concerns me is that they are own by "test" (please tell me you didn't have a user named "test") who is part of the *wheel* group. I don't know how your system is configured but wheel is usually a group with privileged access which would be really bad.

IMHO, I'd agree with ethics and say that a format and re-install is really the *only* way you can be sure that something nasty isn't lurking in your filesystem or in a binary somewhere.

well indeed test is a wheel user , but it was my bad , i had some testing to do and added user test , for a quicker use i used the password test , and there`s the bad thing it used a ssh brude forcer and got my pass found the ssh brute forcer in my sys and deleted it to.. the thing is i found quite a few thing from the hacker who was in my sys , the thing is .. always update your kernel.. i use the latest version that kernel.org provides .. and try not using week passwords : in my opinion Update is the mother of security , i didn`t had to reinstall my sys it would take to long and the possible threat that some data would be lost .. quite frankly was not a option :> the real threat these days are not ssh brute forces coz they could usually be stoped by using stronger passwords , the threat comes with web-based apps that have security holes , like i manage some web-sites and had quite a fight with hackers but managed to win ;P so far sorry for the late reply

i didn`t had to reinstall my sys it would take to long and the possible threat that some data would be lost .. quite frankly was not a option

If he had admin privileges then virually *anything* could have been done to the system. You would be making a real mistake to think that simply removing any hidden files would be enough to make the system even remotely secure again. So it's really the *only* option.

Taking the time to reinstall may be a pain, but you can safely do it without losing any files. The alternative is that all your passwords and any sensitive data (credit card info?) may potentially be compromised. The machine may also used to store warez (cracked software) and pornography which someone may try and hold you responsible for. Getting 0wned sucks, especially when it's because you didn't take the time to update the system, don't compound the problem more by continuing to neglect it.