> i was looking for our bandwidth eater.... and i did some minor > investigation i found out that in one of my box someone is doing an ftp > to > ftp.geocities.com.. initial action was to look who's connected and after > did a pstree to look where the sftp respawn... luckily it didnt respawn > in a user login... it respawn from init... > > can someone tell me where to look so it doesnt happen again.... > furthermore when i did the top: > > #top > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND > 14791 userx 19 0 229M 229M 588 R 99.9 22.9 > 23425m sftp > > # pstree -ap > > init,1) > | > | > |-sftp,14791) ftp.geocities.com > > > TIA > Hi daddy,
I don't think that was ftp, it's a secure ftp, maybe the box was compromized doing some upload of your confidential files (passwd/shadow) putting it to their free webhosting like geocities. check also your contabs for other scripts that may run even this was removed in your init scripts. HTH -- Jimmy Lim IT Operation & Support Team Leader Tricom _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
