220 and 530 messages can be SMTP, or they can be FTP or something else. The 220 plus the "crew" banner would make me want to run a sniffer and/or point an FTP client at that port to determine whether that's an FTP banner, associated with FTP tagging / pubstro activity. The presence of lots of illegal warez files such as DVD, games, etc. or much lower free disk space than normal might also be a clue.
Because of the running process on the system on a non-standard port, it seems fairly certain that a root level compromise has occurred. However, often you will find FTP pubstro compromises where the "attackers" have no knowledge or interest in what your server is or the data on it. A typical pubstro attack will be a broad scan and compromise of lots of systems with financial gain as the motive, with little time and interest in reconnaisance or discovery of data. The ident port has been used in some past documented pubstros, possibly because the firewall was configured to allow use of that port in and out. http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0411&L=security&T=0&F=&S=&P=2356 - karl levinson __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
