On Tue, Feb 16, 2021 at 08:47:52AM -0700, Theo de Raadt wrote: > ANSI sequences appeared on ttyC0.
Someone tapped a "Home" key? "ESC [ 7 ~" is the "Home" VT sequence. > > init is running getty there, which exec'd login, which is running > login_passwd to perform a login. > > > > Riccardo Giuntoli <tag...@gmail.com> wrote: > > > Hi there I've got a strange process that spawn from init in the environment > > above. No network traffic. Look ahead: > > > > |-+= 51452 root login -p -- \^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7 > > | \--- 73422 root passwd -v login=yes -s login -- > > \^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7 default (login_passwd) > > > > They depend directly from init. > > > > taglio@cyberanarkhia:/sbin$ ls -al init > > > > > > > > -r-xr-xr-x 1 root bin 345348 Nov 25 19:39 init* > > taglio@cyberanarkhia:/sbin$ > > > > taglio@cyberanarkhia:/sbin$ md5 init > > > > > > > > MD5 (init) = 0fbb14ece72860443abe2c2ddb2ae96a > > taglio@cyberanarkhia:/sbin$ > > > > [ using 1142476 bytes of bsd ELF symbol table ] > > console out [NVDA,Display-B] console in [keyboard], using USB > > using parent NVDA,Parent:: memaddr 98000000, size 8000000 : consaddr > > 98004000 : ioaddr 91000000, size 1000000: width 1280 linebytes 1536 height > > 1024 depth 8 > > Copyright (c) 1982, 1986, 1989, 1991, 1993 > > The Regents of the University of California. All rights reserved. > > Copyright (c) 1995-2020 OpenBSD. All rights reserved. > > https://www.OpenBSD.org > > > > OpenBSD 6.7-stable (GENERIC.MP) #1: Mon Dec 21 08:42:13 CET 2020 > > tag...@cyberanarkhia.telecomlobby.net:/sys/arch/macppc/compile/ > > GENERIC.MP > > > > root@cyberanarkhia:/usr/libexec/auth# ls -al > > total 388 > > drwxr-x--- 2 root auth 512 Nov 25 19:39 ./ > > drwxr-xr-x 6 root wheel 1024 Dec 22 18:54 ../ > > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_activ* > > -r-sr-xr-x 1 root auth 9340 Nov 25 19:39 login_chpass* > > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_crypto* > > -r-sr-xr-x 1 root auth 17688 Nov 25 19:39 login_lchpass* > > -r-sr-xr-x 1 root auth 9340 Nov 25 19:39 login_passwd* > > -r-xr-sr-x 1 root _radius 17628 Nov 25 19:39 login_radius* > > -r-xr-xr-x 1 root auth 9340 Nov 25 19:39 login_reject* > > -r-xr-sr-x 1 root auth 13480 Nov 25 19:39 login_skey* > > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_snk* > > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_token* > > -r-xr-sr-x 1 root auth 21628 Nov 25 19:39 login_yubikey* > > root@cyberanarkhia:/usr/libexec/auth# > > > > root@cyberanarkhia:/usr/libexec/auth# md5 login_passwd > > > > > > > > MD5 (login_passwd) = 17ed9f36a170b5614de566f71768e753 > > root@cyberanarkhia:/usr/libexec/auth# > > > > root login 39663 text /usr 52236 -r-xr-xr-x r 25824 > > root login 39663 wd / 2 drwxr-xr-x r 1024 > > root login 39663 0 / 741 crw------- rw ttyC0 > > root login 39663 1 / 741 crw------- rw ttyC0 > > root login 39663 2 / 741 crw------- rw ttyC0 > > root login 39663 3* unix stream 0x325e9a08 <-> 0x325e90a8 > > root login_passwd 50752 text /usr 78065 -r-sr-xr-x r > > 9340 > > root login_passwd 50752 wd /home 4595712 drwxr-xr-x r > > 1536 > > root login_passwd 50752 0 / 564 crw--w---- rw > > ttyp1 > > root login_passwd 50752 1 / 564 crw--w---- rw > > ttyp1 > > root login_passwd 50752 2 / 564 crw--w---- rw > > ttyp1 > > root login_passwd 50752 3* unix stream 0x325e9468 <-> 0x325e9968 > > root login_passwd 50752 4 / 1090 crw-rw-rw- rwp > > tty > > > > Any suggestions? > > > > Nice regards, > > > > RG > > -- > > Name: Riccardo Giuntoli > > Email: tag...@gmail.com > > Location: sant Pere de Ribes, BCN, Spain > > PGP Key: 0x67123739 > > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > > Key server: hkp://wwwkeys.eu.pgp.net -- Andreas (Kusalananda) Kähäri SciLifeLab, NBIS, ICM Uppsala University, Sweden .
