I am running RH9, with proftp.

I left a dir open to the public to be written from by some of the users on my fourm. Somebody has created alot of dir and temp files and such. I have delated them and remove the public writing. Could they have done some type of exploit and go into my system?

I see no logins from /var/log/secure

Could they be spoofing this?

Should I run a chkrootkit? If so how? I have never done one. I have downloaded the chroot kit from chroot.org but I haven't untared it yet.

Um, are you sure your not thinking of chkrootkit? Chroot is for keeping users in a directory, but if you think you've been compromised, you need to use something like chkrootkit. Download that and run it. While you're at it, you might want to use rkhunter as well. However you may have to face the fact that if your system has been compromised and you hadn't set up a way to detect it, you may not be able to really figure out if you've been compromised or not. Be sure to visit Unspawn's sticky thread at the top of the forum. He has a number of links on what to do if you think you've been compromised.

You also might look in the xferlog and see what is there, though if your system is compromised this may not be trustworthy. The same thing goes for /var/log/secure. Also have a look at the open ports you have with netstat or nmap, though again, if you've been compromised, these may not be reliable.

Finally, if you are going to allow users to upload files, you are absolutely want to run something like Aide or Tripwire to monitor your file integrity. Be sure to keep a copy of the database these create somewhere off your machine.

A couple of things to add along with Hangdog42's good points:

Support for Redhat 9 has been discontinued and unless you are somehow manually updating, then there are a number of security vulnerabilities on your system. You might want to consider upgrading to a version of linux that is supported.

You can use the rpm -Va command to verify the integrity of the system packages to make sure that not have been altered/replaced.

Thanks, I ran chkrootkit last night and nothing was found. I check all my /var/log/secure -.1,.2,3 to see if someone had gotin over the last couple of days. So far everything looks good. My RH9 has all the updates the RH ever made for it. It may not be the newest version, but I dont think that there should be too many more holes in it. I have been checking out other versions of linux over the past months, I thought about fedora b/c I like the RPMS. Though I have found out that they don't always work so I have been compileing the tar files.

I run the following services on my machine and if you have a better OS that you think would be better let me know. I dont have to have a GUI, its rather nice though.

Samba,squid,sendmail (not configured),proftp,apache,

My system is a dual Intel P3 (667's i think)256ram and 80gig(7200)
Thats about it.

Why would some one create a bunch of temp files on my ftp server though. It looked like they were someones logs from sometype of scan. I should have took a screen print while I was deleting them. I have closed the anonomys writing so I guess this should stop. I think it was just a kid trying to run some scrips.

Here is a brief explnation of how I have things hooked up.

DSL Modem (disabled all services)--smothwall router (PPOE) on internal ip range of 9.17.19.95 then I have a netgear hub that my Xbox is hooked to and out of the hub also is a linksys wireless router that I have configured to use a static ip that it gets from the smoothe and out of the linksys (11.24.19.82) all my servers are on this address range. I have the smoothie forward ports to the linksys which inturn forwards them to the servers.

Just for kicks on the first network segment what if I put a old 486 running knoppix so if someone is browsing my network they will find this computer and stop there. They wouldn't know that there is another network segment right? Well if they hacked the smoothie and got the routes then they might find the other network. My passwords should be diffcult for someone to guess as it has both letters and nubmers and the letter are upper and lower case. I don't think that a password generator would guess it.

I have other family users that there dirs are on the server and not the windows boxes that they use. The passwords for those accounts are the same as their Sir name, but they are chrooted to their personal directory where I don't allow things to be exicuted.

After all this rambeling did I get anywhere?

If the files are actually in /tmp or in some other directory that isn't writeable through ftp, then that suggests that they at least had user level access. If they simply dumped a bunch of files into the ftp dirs anonymously, then they may not have had any kind of direct access to the system. Allowing anonymous writes via ftp is a horrendously bad idea and you should really find some alternative method.

If the system has only been updated through the end of Redhat support, then there will likely have been a number of ways to exploit the system and gain root access. You should absolutely check the output of last -i for any abnormal logins and check /etc/passwd for any new users or users other than root with a UID of 0. Also check the system for any suid/sgid root files:

find / -perm 4000 -print
find / -perm 2000 -print

Also, check all the system logs for abnormal error messages (application errors, panics, seg faults, etc)

Thanks I'll start working on this.

Actually the files were in /home/ftp/tmp

I have it jailed to /home/ftp