From owner-freebsd-questions  Thu Oct 18 12:17:42 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from srv.cip.physik.tu-muenchen.de (srv.cip.physik.tu-muenchen.de [129.187.137.223])
	by hub.freebsd.org (Postfix) with ESMTP id 78A8E37B401
	for <questions@FreeBSD.org>; Thu, 18 Oct 2001 12:17:30 -0700 (PDT)
Received: from xenon.e20.physik.tu-muenchen.de (xenon.e20.physik.tu-muenchen.de [129.187.217.1])
	by srv.cip.physik.tu-muenchen.de (8.10.2/8.10.2) with ESMTP id f9IJHTE02665
	for <questions@FreeBSD.org>; Thu, 18 Oct 2001 21:17:29 +0200 (MET DST)
Received: from e20.physik.tu-muenchen.de by xenon.e20.physik.tu-muenchen.de (8.8.8/1.1.22.3/10Apr00-0354PM)
	id VAA0000030166; Thu, 18 Oct 2001 21:17:23 +0200 (MET DST)
Message-ID: <3BCF2AB3.CB8F4D56@e20.physik.tu-muenchen.de>
Date: Thu, 18 Oct 2001 21:17:07 +0200
From: Georgi Tyuliev <tyuliev@e20.physik.tu-muenchen.de>
X-Mailer: Mozilla 4.78 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: questions@FreeBSD.org
Subject: 77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse by 
 Xplosivo/filled by okunawa/tc2
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I am using FreeBSD-4.3 release and when I tried to make a telnet
I got a message telling  that the filesystem is full. It appears that
/var/ftp/incoming
directory is filled maliciously by some attacker. Unfortunately I can
not
remove these files/directories, their behavior is strange.
How one should proceed in such cases,
Best regards,
Dr. Georgi Tyuliev

Below is a part of the output from the commands:
"du -h"

497K    ./var/ftp/bin
4.0K    ./var/ftp/etc
1.0K    ./var/ftp/pub
1.0K    ./var/ftp/incoming/
1.0K    ./var/ftp/incoming/          com1
 77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse by
Xplosivo/filled by okunawa/tc2
 77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse by
Xplosivo/filled by okunawa
 77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse by
Xplosivo
 77M    ./var/ftp/incoming/                    com2
 77M    ./var/ftp/incoming
 78M    ./var/ftp
 84M    ./var
and
"ls -l"

drwxr-xr-x  2 ftp   operator  512 Oct 14 03:39
drwxr-xr-x  3 ftp   operator  512 Oct 14 13:37                     com2
drwxr-xr-x  2 ftp   operator  512 Oct 14 13:33           com1


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message