On Thu, June 26, 2008 09:39, Chris Downie wrote: > What should I be looking for and what can I put in place to track what is > downloading and where it's coming from?
It could be *uploading*. You might have been rooted. Sorry. Disconnect the machine from the network. Don't reboot it before you've had a chance to have a good look around. Consider how you will erase and re-install the OS. Hope for the best, expect the worst. Don't panic. There are a couple of rootkit detector programs you can run, but you get the best results if you anticipate being rooted and check them against the record you made of the clean machine just after you set it up (no, I haven't done that either). Take a look in /var/log/auth.log for successful remote logins that you can't vouch for. In fact take a look at your logs in general, looking for suspicious activity (such as, for example, the logs not being there). Also, have a look at the filesystem for strange-looking directories. A
