[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: weird process...

To: <silug-discuss@silug.org>
Subject: Re: weird process...
From: "Flood Randy Capt AFCA/TCAA" <Randy.Flood@scott.af.mil>
Date: Fri, 7 Mar 2003 08:06:31 -0600
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org
Thread-Index: AcLkFtycVd2d3kl4QwaCggIxbM0DbQAmfYPQ
Thread-Topic: weird process...

Some people run sshd out of the startup scripts.  I don't remmeber where.  I just remember in the days before I found openssh, having to add a line to a file somewhere to make sshd start.  Would that show as running as a child of init?  Isn't sftp part of the SSH stuff?  

Randy    

-----Original Message-----
From: Sean \The RIMBoy\ [mailto:sean@rimboy.com]
Sent: Thursday, March 06, 2003 12:53 PM
To: jerome
Cc: silug-discuss@silug.org
Subject: Re: weird process...

On Fri, 7 Mar 2003, jerome wrote:

> i was looking for my bandwidth eater.... and i did some minor investigation i 
> found out that in one of my box someone is doing an ftp to 
> ftp.geocities.com.. initial action was to look who's connected and after did 
> a pstree to look where the sftp respawn... luckily it didnt respawn in a user 
> login... it respawn from init...
> 
> can someone tell me where to look so it doesnt happen again.... furthermore 
> when i did the top:
> 
> #top
>   PID USER   PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
> 14791 userx  19      0   229M 229M  588        R        99.9   22.9    23425m 
> sftp
> 
> # pstree -ap
> 
>  init,1)
>    |
>    |
>    |-sftp,14791) ftp.geocities.com

um, let me get this straight.  You don't know who's doing the ftp to 
geocities?  And the fact that it's being respawned out of init is not 
good.  I'd venture to say you've been rooted and should probably install 
an airgap firewall ASAP.   There is no not making it happen again without 
taking it offline and figuring out how they got in.  The fact that they 
modified your inittab means they probably also have root.  You are really 
going to want to salvage what important data you can, wipe the HD and 
reinstall.  There is no remodeling after this mess IMO, without rebuilding 
the house.

Sean...

--
Believing I had supernatural powers, I slammed into a brick wall.
	--Paul Simon
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
KG4NRC  http://www.rimboy.com  Your source for the crap you know you need.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Follow-Ups:
- Re: weird process...
  - From: daddy <jerome@gmanmi.tv>

Prev by Date: Re: OT: Mary Wickes rests in Shiloh
Next by Date: Go! Bruce Go!
Prev by thread: Re: weird process...
Next by thread: Re: weird process...
Index(es):
- Date
- Thread