Some guy, made a file or something called "\" in my ftp share folder. It appears to be a folder, so when I type:

root@Wolf88: cd \

I get this


root@Wolf88:
>_


I dont know what this is.. but I cant forsee it as being good since it allows virutally anyone with ftp access to control and or use my system. Also, when I connect via an FTP client, and enter the "\" folder, it redirects me to my root directory. I need to know what I can do to prevent this.. is it safe to delete this from the ftp share folder. What can I do, and what I can I do to prevent this from happening?

Now, the folder "\" is missing when I log onto the server via FTP client from windows, but when I do an ls of the "Storage" directort on my nix box, its still there.

First of all, don't fuss about. The basics are:
- log details
- prevent networked access
- establish system integrity

Log:
netstat -anp >> /tmp/log
w(who|whoson) >> /tmp/log
ps au >> /tmp/log
lsof >> /tmp/log
lsmod >> /tmp/log
Now you've got the basic stuff (if unmodified binaries): connected IP addresses, who is logged on, running processes (not if hidden), running processes + open files, sockets etc, loaded modules (not if hidden). The rest you can scrape off of snort, your firewall and your ftp servers logs (if any).

Disconnect:
Now disconnect your box from the network.

Integrity:
Always state as much in detail as you possibly can. W/o we can't help. Period. This means distro, version, daemon version, any config weirdness, log excerpts, etc.
Now you will have to establish the integrity of your system, this means checking configs, logs and binaries.
If you didn't install and used a system integrity checking app like Aide, Tripwire, Samhain or equiv, then since your system doesn't provide package verification basically you're fscked.
Another chance would be to scan with Chkrootkit(.org) for known rootkits, but this can't flag "new" stuff, nor can it verify the integrity of your binaries.
Post any errors you get or "weird" files you find.

IMO you should wait worrying about deleting stuff till after you made pretty damn sure your system is clean, and till then you should not connect your system to any network. Look for basic steps at Steps for Recovering from a UNIX or NT System Compromise.

Now give us some details that will help us help you add a proper solution for your problems.

I ran chkrootkit... and it turned neg accross the board. I think that they hadnt doen anything ... yet... but, they did make it so that an anymous user could optain access to the root directory. I fixed this partially by double checking the proftpd.conf file and making it so that anonymous users couldnt right anytning. I dont know what to do from this point on though... should I change all my passwords. Can I delete the "\" file/directory outta my ftp "Storage" folder?

you can delete the file like this
rm -rf "\"
or in querky way
rm -rf \\

Sorry,
rm -rf '\'
or
rm -rf \\

A little update, now when my head is clear from yesterdays chaos, if you still can ignore my previous two post, please do so, I obviously wasn't thinking when I hit "Submit" button. Follow unSpawn suggestions, and also look up some case studies, I found one on linuxsecurity. The steps described in the article can be used as a guide on how to proceed, and recover from an attack. Don't concider a single firewall as all means to harden your box security, also I found a good article on how to setup an adaptive firewall to block persistent snoopers http://linuxgazette.com/issue82/veerapen.html http://www.linuxsecurity.com/feature...sis-part1.html
http://www.linuxsecurity.com/feature...sis-part2.html

when I try and remove the \ file/directory thingy... Ive tried:

rm -rf '\'
rm -rf \\
even rm -rf "\"

but nothing seems to work... all it seems to do it bring this up:

>_

I hit cntrl+c and type ls... and the stupid \ is still there. WTF?!?

Amen to that quote.

ohhhh thats real helpful guys!

Innit? You've shown clearly you don't have any interest in securing your box, but find "thinking" it's safe is enough.
The 'net is for all of us, by all of us, so if you willfully allow your box to get broken into making it the weakest link, it will affect other boxen if they manage to use yours as another jump. This attitude is one that gets systems broken into.
Credit gone, game over.

But, since you don't care about that and I have to end this thread in a constructive way, try
rm -rf "\\/"

Ok... I tired as well... I cant get that stupid thing to go away. Id really like to know. And dude... I know a lot... but compared to all that is available to know... its a tiny portion. I started using Linux extensivly like 6 months ago, you cant expect someone and or everyone to go leet in that amount of time. Im in it to learn... and then help others do the same.

Not trying to knock anyone. But I understand what unSpawn and trickykid are saying. I also understand what you are going through. That said - insted of freaking out and going "Oh my god, Oh my god, Oh my god".

The first thing you need to do (even if you are a newbie you can do this) is unplug the network cable. Second if you can't follow what unSpawn said in his first post, then wipe the drive clean and start over.

This time don't turn on FTP unless you HAVE to HAVE it. Even then TURN OFF ANONYMOUS ACCESS . Also you really should be using SSH if you can.

If you don't know how to turn on / off anonymous access then post that question later.

p.s. unSpawn those instuctions really helped me out. Thanx

uhhh thanks... but that was the first thing I did... Im not a moron. And yeah I know how to turn it off... that was the second thing that I did. Any more nonhelping posts?!?