* P Kirk (patrick@enterprise-hr.com) [010807 12:32]: > Saw something similiar in a FreeBSD box once. It was a trojan ftp > daemon that started off some obscure user like sysgetty or some other > "official" looking name. The RAID had 36 gigs of mp3s and porn. > > You might want to backup your data and reinstall if no-one has a more > knowledgable answer. > > In the meantime there's no need to disconnect from the net. Just have a > rolling kill command that kills ftpd every second. I don't have shell No offense intended, but this is some of the WORST advice I've heard on this list to date. If you fear you may have been compromised, by all means, and for the love of us all, unplug your network cable at once. If for no other reason than this: Your system could possibly be launching attacks at other systems unbeknownst to you, for which you can be held legally and financially accountable. Unplug it NOW, and start doing some digging to find out what's really going on. If you find modified binaries, etc. the easiest way to recover (IMHO) is to reinstall and restore your (verified clean) data from backups. Running a script to repeatedly kill the process will only burn your CPU cycles; if indeed the process is "Respawning because it's a trojan" the reality of the situation is that other things on your system have been tampered with. If there's some recurring process (via cron or something) that restarts the app, a better (but still bad) idea would be to stop that cron job. IMO, the only acceptable course of action is to pull your cables and get down and dirty with some forensics. Vineet
Attachment:
pgpXntl_T39hx.pgp
Description: PGP signature