From owner-freebsd-questions  Thu Oct 18 12:20:49 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from 4evermail.com (equinox.4evermail.com [204.92.209.4])
	by hub.freebsd.org (Postfix) with SMTP id 553B937B405
	for <freebsd-questions@freebsd.org>; Thu, 18 Oct 2001 12:20:46 -0700 (PDT)
Received: (qmail 70037 invoked from network); 18 Oct 2001 19:21:18 -0000
Received: from equinox.4evermail.com (HELO mail.4evermail.com) (nobody@204.92.209.4)
  by equinox.4evermail.com with SMTP; 18 Oct 2001 19:21:18 -0000
From: jslivko@4evermail.com <jslivko@4evermail.com>
To: <tyuliev@e20.physik.tu-muenchen.de>
Cc: freebsd-questions@freebsd.org
Subject: Re: 77M    ./var/ftp/incoming/                    com2/tagged 4
Date: Thu, 18 Oct 2001 15:21:18 +0000
X-Mailer: Null Webmail / 0.5.9
Message-Id: <20011018192046.553B937B405@hub.freebsd.org>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Georgi,

Generally, that means that you've got a warez group sitting on your 
server, using it as a file repository for illegal software, etc. 
Generally, just deleting the directories and strengthening up 
security around FTPd should be enough to stop the intruders from 
doing much more. All in all, it's rather harmless from a hacking 
attempt point of view. -- Jonathan

--- Georgi Tyuliev <tyuliev@e20.physik.tu-muenchen.de> wrote:
> I am using FreeBSD-4.3 release and when I tried to make a telnet
> I got a message telling  that the filesystem is full. It appears 
that
> /var/ftp/incoming
> directory is filled maliciously by some attacker. Unfortunately I 
can
> not
> remove these files/directories, their behavior is strange.
> How one should proceed in such cases,
> Best regards,
> Dr. Georgi Tyuliev
> 
> Below is a part of the output from the commands:
> "du -h"
> 
> 497K    ./var/ftp/bin
> 4.0K    ./var/ftp/etc
> 1.0K    ./var/ftp/pub
> 1.0K    ./var/ftp/incoming/
> 1.0K    ./var/ftp/incoming/          com1
>  77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse 
by
> Xplosivo/filled by okunawa/tc2
>  77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse 
by
> Xplosivo/filled by okunawa
>  77M    ./var/ftp/incoming/                    com2/tagged 4 Lhotse 
by
> Xplosivo
>  77M    ./var/ftp/incoming/                    com2
>  77M    ./var/ftp/incoming
>  78M    ./var/ftp
>  84M    ./var
> and
> "ls -l"
> 
> drwxr-xr-x  2 ftp   operator  512 Oct 14 03:39
> drwxr-xr-x  3 ftp   operator  512 Oct 14 13:37                     
com2
> drwxr-xr-x  2 ftp   operator  512 Oct 14 13:33           com1
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message