is it possible to fake live IPs. ( AFAIK you can only spoof loopback IP. ) because i was wondering they already put into place allowed hosts on sshd_config... is it possible to bypass it by some remote host saying that he is one of the IP listed in the conf...?
TIA On Friday 07 March 2003 08:55, Mark M. Barrios wrote: > if you can see its pid then look for it in /proc > > /proc/<PID>/ > > check cmdline or exe to see what exeactly he's running > > you can find out a lot of things there > > :D > > daddy wrote: > >if its a script how can i know where to find it... > > > >right now im doing a grep ftp.geocities.com * from / ... is there a > > nice way of doing this...?? > > > >On Thursday 06 March 2003 17:02, Jimmy Lim wrote: > >>>i was looking for our bandwidth eater.... and i did some minor > >>>investigation i found out that in one of my box someone is doing an ftp > >>>to > >>>ftp.geocities.com.. initial action was to look who's connected and after > >>>did a pstree to look where the sftp respawn... luckily it didnt respawn > >>>in a user login... it respawn from init... > >>> > >>>can someone tell me where to look so it doesnt happen again.... > >>>furthermore when i did the top: > >>> > >>>#top > >>> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND > >>>14791 userx 19 0 229M 229M 588 R 99.9 22.9 > >>>23425m sftp > >>> > >>># pstree -ap > >>> > >>> init,1) > >>> > >>> |-sftp,14791) ftp.geocities.com > >>> > >>>TIA > >> > >>Hi daddy, > >> > >>I don't think that was ftp, it's a secure ftp, maybe the box was > >>compromized doing some upload of your confidential files (passwd/shadow) > >>putting it to their free webhosting like geocities. check also your > >>contabs for other scripts that may run even this was removed in your init > >>scripts. > >> > >>HTH > > > >_ > >Philippine Linux Users Group. Web site and archives at > > http://plug.linux.org.ph To leave: send "unsubscribe" in the body to > > [EMAIL PROTECTED] > > > >Fully Searchable Archives With Friendly Web Interface at > > http://marc.free.net.ph > > > >To subscribe to the Linux Newbies' List: send "subscribe" in the body to > > [EMAIL PROTECTED] > > _ > Philippine Linux Users Group. Web site and archives at > http://plug.linux.org.ph To leave: send "unsubscribe" in the body to > [EMAIL PROTECTED] > > Fully Searchable Archives With Friendly Web Interface at > http://marc.free.net.ph > > To subscribe to the Linux Newbies' List: send "subscribe" in the body to > [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
