search for: ftp_scanner

My wife's office server was compromised today. It appears they ssh'ed in through account pcguest which was set up for Samba. (I don't remember setting up that account, but maybe I did.) At any rate, I found a bazillion "ftp_scanner" processes running. A killall finished them off quickly, I nuked the pcguest account, and switched ssh to a different port (which I normally do anyway). I used 'find' to locate ftp_scanner, which was running in a folder under /var/tmp. It seems that before I could nuke the directory...