if its a script how can i know where to find it... right now im doing a grep ftp.geocities.com * from / ... is there a nice way of doing this...??
On Thursday 06 March 2003 17:02, Jimmy Lim wrote: > > i was looking for our bandwidth eater.... and i did some minor > > investigation i found out that in one of my box someone is doing an ftp > > to > > ftp.geocities.com.. initial action was to look who's connected and after > > did a pstree to look where the sftp respawn... luckily it didnt respawn > > in a user login... it respawn from init... > > > > can someone tell me where to look so it doesnt happen again.... > > furthermore when i did the top: > > > > #top > > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND > > 14791 userx 19 0 229M 229M 588 R 99.9 22.9 > > 23425m sftp > > > > # pstree -ap > > > > init,1) > > > > |-sftp,14791) ftp.geocities.com > > > > TIA > > Hi daddy, > > I don't think that was ftp, it's a secure ftp, maybe the box was > compromized doing some upload of your confidential files (passwd/shadow) > putting it to their free webhosting like geocities. check also your > contabs for other scripts that may run even this was removed in your init > scripts. > > HTH _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
