Hi, A German warez group (from what I have been able to track down) has been uploading files to our server. The problem is that they've been appearing in our ftp incoming directory *but not through our ftp daemon*. Any such connections would have logged and they haven't been. Neither were any ftpd processes seen running at a time when files were actively being uploaded. This (to my untrained eye) points to a compromised network service of some description. First things first is this the right place to discuss such things or would there be somewhere more relavent? I'm running SuSE 7.1 with a self compiled 2.4.2 kernel, and running apache 1.3.19, proftpd 1.2.2rc2, openssh 2.5.1p1, telnet, postfix-20010228pl03-9, qpopper-3.1.2, nfs-2.2, pidentd 3.1a17, samba 2.0.10, lprng 3.7.4, netatalk 1.4.99, portmap 5beta, XFree86 4.0.2 + kdm/kde2 2.1.1. Some of which being compiled from 7.2ftp source rpms but the same exploit was taking place with standard 7.1ftp. As I'm running SuSE packages which have no known exploits that I can see this is worrying for me and a potential worry for other SuSE users. I've spent all day on a wild goose chase but hopefully tomorrow I'll be able to find more information (I'm tcpdumping all network traffic atm, so it just needs correlating the time files are uploaded with the traffic going on at the time, a lengthy process on a busy server ;0). Any help will be greatly appreciated, John Bland -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie