[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: weird process...
it is part of ssh which means sftp should spawn under sshd?
is it possible to transfer data using sftp without human intervention?
On Friday 07 March 2003 22:06, you wrote:
> Some people run sshd out of the startup scripts. I don't remmeber where.
> I just remember in the days before I found openssh, having to add a line to
> a file somewhere to make sshd start. Would that show as running as a child
> of init? Isn't sftp part of the SSH stuff?
>
> Randy
>
>
> -----Original Message-----
> From: Sean \The RIMBoy\ [mailto:sean@rimboy.com]
> Sent: Thursday, March 06, 2003 12:53 PM
> To: jerome
> Cc: silug-discuss@silug.org
> Subject: Re: weird process...
>
> On Fri, 7 Mar 2003, jerome wrote:
> > i was looking for my bandwidth eater.... and i did some minor
> > investigation i found out that in one of my box someone is doing an ftp
> > to
> > ftp.geocities.com.. initial action was to look who's connected and after
> > did a pstree to look where the sftp respawn... luckily it didnt respawn
> > in a user login... it respawn from init...
> >
> > can someone tell me where to look so it doesnt happen again....
> > furthermore when i did the top:
> >
> > #top
> > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
> > 14791 userx 19 0 229M 229M 588 R 99.9 22.9
> > 23425m sftp
> >
> > # pstree -ap
> >
> > init,1)
> >
> > |-sftp,14791) ftp.geocities.com
>
> um, let me get this straight. You don't know who's doing the ftp to
> geocities? And the fact that it's being respawned out of init is not
> good. I'd venture to say you've been rooted and should probably install
> an airgap firewall ASAP. There is no not making it happen again without
> taking it offline and figuring out how they got in. The fact that they
> modified your inittab means they probably also have root. You are really
> going to want to salvage what important data you can, wipe the HD and
> reinstall. There is no remodeling after this mess IMO, without rebuilding
> the house.
>
> Sean...
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.