On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
ok, I found it. Now what? You said run strings? I get: Multi-thread FTP scanner v0.2.5 by Inode inode@wayreth.eu.org
That looks like the ftp scanner which can be found at http://wayreth.eu.org/ - somebody is probably using your box to find insecure ftp servers for sharing files.
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
ls -lah /dev/shm/..\ / total 24K drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 . drwxrwxrwt 3 root root 60 Feb 2 19:27 .. drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt -rw-r--r-- 1 hotmail hotmail 24K Feb 2 19:27 nt.tar.gz
James