Just recently a very disgruntled forum user of one of the charity organisations I'm involved with launched an all out attack on our server, this matter is now being dealt with by the police but today on a different forum, I had a member asking if anything had changed as the forum was acting weird.. Anyway to get to the point I've been looking at logs etc, can't see anything new in the logs whihc point to an attack but I noticed one particular Java process was taking quite a bit of CPU time, when I looked what the process was I saw this:
I can't recall every seeing that before so I'm trying to determine whether the people who attacked before are still at it and if this is some backdoor process they've launched..
If anyone can give me any information on that java lib I'd really appreciate it, must admit although I am very confortable around linux & programming, being the victim of an attack has left me feeling somewhat ignorant in the security field.
Regards, Dave Brown
SCJP 6 - [url]http://www.dbws.net/[/url] - Check out Grails Forum
Looks like it's an FTP server of some kind. If it's taking up a lot of CPU time that may be an indication it's serving a lot of files. Regardless, if it's not supposed to be running, you should shut it down. Also check the dates on the files it uses, those might give a clue as to when it got installed or (re)configured.
Joined: Mar 08, 2005
Good job I looked closer, somehow they'd installed the thing to /var/tmp/.tmp
Inside were all sorts of files they were sharing filling up the HD.
Not sure how they got in either but I think I'll do some googling now on security and try learn a bit more.
I need help as soon as possible.
I have the same issue on my server. Lots of files being shared.
The process is run from /var/tmp/.tmp
I want to find out how they got into the server and how to stop this from happening again.