At 01:12 PM 10/17/01 -0400, you wrote:
>"Brian Rahill" <[EMAIL PROTECTED]> wrote:
> > I don't give shell accounts to any of my users, however recently when I
>run
> > a "top" I see two users.
> >
> > However using "w" I only see myself logged in. What is going on?
>
>Cron jobs and CGI scripts run as the user that owns them. Was it either of
>those? Can you post the relevant lines from top?
I realize that CGI's run as the user but before the past few days I've only
seen one user via top. It's just in the past few days that I've seen
this. It really freaked me at first...I immediately thought "hack in
progress..." But it been a few days and all VISIBLE signs are that
everything is ok.
I'm logged in as root via SSH.
Here is my "w"
6:42pm up 22 days, 12:53, 2 users, load average: 0.24, 0.13, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
admin pts/1 me-orno1a-164.bn 6:42pm 0.00s 0.19s ? -
Here's my top:
6:44pm up 22 days, 12:55, 2 users, load average: 0.32, 0.17, 0.09
96 processes: 95 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 6.2% user, 9.9% system, 0.0% nice, 83.8% idle
Mem: 257636K av, 250196K used, 7440K free, 321952K shrd, 50316K buff
Swap: 131448K av, 1948K used, 129500K free 86620K cached
PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND
22133 admin 6 0 900 900 680 R 0 2.3 0.3 0:01 top
4604 httpd 0 0 13232 12M 12488 S 0 0.1 5.1 0:07 httpd
5417 httpd 0 0 13224 12M 12468 S 0 0.1 5.1 0:07 httpd
22022 root 0 0 1456 1448 1140 S 0 0.1 0.5 0:00 sshd
1 root 0 0 476 476 404 S 0 0.0 0.1 0:06 init
2 root 0 0 0 0 0 SW 0 0.0 0.0 0:22 kflushd
3 root 0 0 0 0 0 SW 0 0.0 0.0 4:41 kupdate
4 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kpiod
5 root 0 0 0 0 0 SW 0 0.0 0.0 0:16 kswapd
6 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 mdrecoveryd
7 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 raid1d
8 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 raid1d
9 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 raid1d
10 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 raid1d
383 root 0 0 476 472 376 S 0 0.0 0.1 6:04 syslogd
394 root 0 0 688 684 304 S 0 0.0 0.2 0:00 klogd
440 root 0 0 444 440 372 S 0 0.0 0.1 0:34 inetd
472 named 0 0 13700 13M 952 S 0 0.0 5.3 10:36 named
484 root 0 0 5680 5680 4552 S 0 0.0 2.2 0:01
httpd.admsrv
508 root 0 0 6404 6404 4692 S 0 0.0 2.4 0:15
httpd.admsrv
516 root 0 0 6360 6236 4576 S 0 0.0 2.4 0:12
httpd.admsrv
573 root 0 0 6368 6368 4692 S 0 0.0 2.4 0:15
httpd.admsrv
614 postgres 5 5 2332 2332 952 S N 0 0.0 0.9 0:34 postmaster
627 root 0 0 656 632 504 S 0 0.0 0.2 0:08 sshd
690 root 0 0 820 820 600 S 0 0.0 0.3 0:00 caspd
691 root 0 0 820 820 600 S 0 0.0 0.3 0:00 caspd
692 root 0 0 820 820 600 S 0 0.0 0.3 0:00 caspd
694 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
734 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
735 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
737 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
738 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
742 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
744 root 0 0 17784 15M 4804 S 0 0.0 6.3 0:00 caspeng
747 root 0 0 832 832 668 S 0 0.0 0.3 0:00 safe_mysqld
770 root 0 0 2388 2388 984 S 0 0.0 0.9 0:08 poprelayd
777 mysql 0 0 2224 2224 1616 S 0 0.0 0.8 0:00 mysqld
Any thoughts?
Brian
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
