Originally posted here by utahlanman
I'm just curious how this person gained "root" level access via your FTP site. Was some form of buffer-overflow exploited in addition to the FTP account brute-forcing? Also.. I assume you HAD to have had an account named "rootbeer" to be cracked by password grinding.

For knowledge sake, I'd suggest you determine if your FTP server (based on its revision) is succeptible to buffer overflow exploits, as I'm not aware of any native FTP based methods of gaining root.

And finally - based on your .bash_history, looks like somebody's staging some great files to play with on your site and is definately looking at setting up some sort of server-based process (hence all the pinging to yahoo.com and reviewing of your network config (ifconfig).

Good luck!
I am using pure-ftp and i have a user called rootbeer..
anyway i will go and check and get back to u..