[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: weird process...
On Fri, 7 Mar 2003, jerome wrote:
> i was looking for my bandwidth eater.... and i did some minor investigation i
> found out that in one of my box someone is doing an ftp to
> ftp.geocities.com.. initial action was to look who's connected and after did
> a pstree to look where the sftp respawn... luckily it didnt respawn in a user
> login... it respawn from init...
>
> can someone tell me where to look so it doesnt happen again.... furthermore
> when i did the top:
>
> #top
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
> 14791 userx 19 0 229M 229M 588 R 99.9 22.9 23425m
> sftp
>
> # pstree -ap
>
> init,1)
> |
> |
> |-sftp,14791) ftp.geocities.com
um, let me get this straight. You don't know who's doing the ftp to
geocities? And the fact that it's being respawned out of init is not
good. I'd venture to say you've been rooted and should probably install
an airgap firewall ASAP. There is no not making it happen again without
taking it offline and figuring out how they got in. The fact that they
modified your inittab means they probably also have root. You are really
going to want to salvage what important data you can, wipe the HD and
reinstall. There is no remodeling after this mess IMO, without rebuilding
the house.
Sean...
--
Believing I had supernatural powers, I slammed into a brick wall.
--Paul Simon
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
KG4NRC http://www.rimboy.com Your source for the crap you know you need.
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.