On Tue, 23 Mar 2004 09:27:57 -0500 Justin Pryzby <[EMAIL PROTECTED]> wrote: > > I believe Richard and myself have been rooted; I returned from spring > break to find my machine's inetd set to listen on tcp:21 and to fork a > wu-ftpd, which does not exist.
Does anything else exist at the path invoked? If someone comes knocking at port 21, would anything get run? What happens if you try port 21 yourself from some other machine? Did you *ever* have wu-ftpd installed? Maybe it was installed briefly, and inetd.conf wasn't cleaned up afterwards? Can you get a trusted chkrootkit on your machine? What does it say? > Of interest: > > root 6472 1 0 Mar10 ? 00:00:00 /bin/bash > /etc/init.d/xprint posix_sh_forced restart > root 6473 6472 0 Mar10 ? 00:00:00 /bin/bash > /etc/init.d/xprint posix_sh_forced restart > root 6474 6473 0 Mar10 ? 00:00:00 /usr/bin/Xprt -ac > -pn-nolisten tcp -audit 4 -fp > /usr/X11R6/lib/X11/fonts/Type1,/usr/X11R6/lib/X11/fonts/Type1/,/v > ar/lib/ root 6477 6472 0 Mar10 ? 00:00:00 tee -a > /dev/null root 6478 6472 0 Mar10 ? 00:00:00 logger > -p lpr.notice -t Xprt_64 I'm definitely not an expert about xprint. But other than the fact that these have been sitting idle since Mar 10, this doesn't look crazy to me, from a quick look at the /etc/init.d/xprint script. The first two lines show a normal invocation for /etc/init.d/xprint; the Xprt daemon has the right command line arguments for what /etc/init.d/xprint would give it, and the tee and logger processes are in there as well. I think what you're seeing here is Bug #234132. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=234132 -c -- Chris Metzler [EMAIL PROTECTED] (remove "snip-me." to email) "As a child I understood how to give; I have forgotten this grace since I have become civilized." - Chief Luther Standing Bear
pgp00000.pgp
Description: PGP signature
