/proc/<PID>/
check cmdline or exe to see what exeactly he's running
you can find out a lot of things there
:D
daddy wrote:
if its a script how can i know where to find it...
right now im doing a grep ftp.geocities.com * from / ... is there a nice way of doing this...??
On Thursday 06 March 2003 17:02, Jimmy Lim wrote:
Hi daddy,i was looking for our bandwidth eater.... and i did some minor investigation i found out that in one of my box someone is doing an ftp to ftp.geocities.com.. initial action was to look who's connected and after did a pstree to look where the sftp respawn... luckily it didnt respawn in a user login... it respawn from init...
can someone tell me where to look so it doesnt happen again.... furthermore when i did the top:
#top PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 14791 userx 19 0 229M 229M 588 R 99.9 22.9 23425m sftp
# pstree -ap
init,1)
|-sftp,14791) ftp.geocities.com
TIA
I don't think that was ftp, it's a secure ftp, maybe the box was compromized doing some upload of your confidential files (passwd/shadow) putting it to their free webhosting like geocities. check also your contabs for other scripts that may run even this was removed in your init scripts.
HTH
_ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
_ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
