"Brian Rahill" <[EMAIL PROTECTED]> wrote: > I realize that CGI's run as the user but before the past few days I've only > seen one user via top. It's just in the past few days that I've seen > this.
Coincidence? Are you monitoring the system processes more now? Are your users running more CGIs now and/or getting more traffic on their CGI web pages? > It really freaked me at first...I immediately thought "hack in > progress..." But it been a few days and all VISIBLE signs are that > everything is ok. I don't find the fact that other users appeared in the output of top to be unusual. YMMV. > Here's my top: <snip> > PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND > 22133 admin 6 0 900 900 680 R 0 2.3 0.3 0:01 top > 4604 httpd 0 0 13232 12M 12488 S 0 0.1 5.1 0:07 httpd > 5417 httpd 0 0 13224 12M 12468 S 0 0.1 5.1 0:07 httpd > 22022 root 0 0 1456 1448 1140 S 0 0.1 0.5 0:00 sshd > 777 mysql 0 0 2224 2224 1616 S 0 0.0 0.8 0:00 mysqld > > Any thoughts? I don't see any other regular users. Nothing unusual. If you notice something unusual perhaps you can look at the output of "ps aux" (or similar flags while running ps) to get more detail, but until another regular user appears I wouldn't be concerned. And I'd only be concerned after I knew what they were doing. If the command showed as "imapd" for example then they're just accessing their email through IMAP. Perhaps you gave some of that detail earlier, but I don't recall. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
