> > How about ftp access, if you're running it, is it anonymous-only > > (e.g. ftpd -A) or do regular users have access? > > yes, ftpd_flags="USA" rc.conf.local
So you have logs of uploads. What's there? > > Faced with this type of situation I'd get the machine offline, > > put the disk on another (clean) machine - don't boot from it > > but mount/duplicate the disk - compare (diff) with a clean > > install of things that are supposed to be on it, looking to > > see what changes have been made (your config changes, programs > > that you may have forgotten about, any files that may have > > been brought over by the attacker, log entries, etc), and > > look for clues.. > > > thanks Stuart, it is going to be very useful, if the trap works. What trap? > For > now, i did a clean installation after read logs, and review almost > everything.
