At 02:45 PM 3/4/2001 -0400, you wrote:
>Just a straight "ps" will only show you your active tasks from your
>current session.
>
>You'd need to do a ps aux to get a list of everything, and if you do
>a ps aux | grep root, you'll get every process currently run by root,
>unless "ps" has been compromised.
This is what came from running that command:
root 1 0.0 0.1 1104 460 ? S Feb22 0:05 init [5]
root 2 0.0 0.0 0 0 ? SW Feb22 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW Feb22 0:00 [kupdate]
root 4 0.0 0.0 0 0 ? SW Feb22 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW Feb22 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW< Feb22 0:00 [mdrecoveryd]
root 367 0.0 0.1 1156 480 ? S Feb22 0:05 syslogd -m 0
root 378 0.0 0.2 1428 672 ? S Feb22 0:00 klogd
root 410 0.0 0.2 1304 584 ? S Feb22 0:00 crond
root 430 0.0 0.1 1120 432 ? S Feb22 0:00 inetd
root 446 0.0 0.1 1176 436 ? S Feb22 0:00 lpd
root 521 0.0 2.3 10352 6056 ? S Feb22 0:02 /usr/sbin/httpsd
root 531 0.0 0.3 1700 844 ? S Feb22 0:00 sh
/usr/bin/safe_
root 661 0.0 0.3 1912 844 ? S Feb22 0:07
/usr/local/sbin/s
root 669 0.0 0.1 1076 384 tty1 S Feb22 0:00
/sbin/mingetty tt
root 670 0.0 0.1 1076 384 tty2 S Feb22 0:00
/sbin/mingetty tt
root 671 0.0 0.1 1076 384 tty3 S Feb22 0:00
/sbin/mingetty tt
root 672 0.0 0.1 1076 384 tty4 S Feb22 0:00
/sbin/mingetty tt
root 673 0.0 0.1 1076 384 tty5 S Feb22 0:00
/sbin/mingetty tt
root 674 0.0 0.1 1076 384 tty6 S Feb22 0:00
/sbin/mingetty tt
root 675 0.0 0.4 2732 1160 ? S Feb22 0:00 /usr/bin/gdm
-nod
root 685 0.0 1.2 4092 3148 ? S Feb22 0:00 perl
/usr/libexec
root 983 0.0 0.0 0 0 ? Z Feb22 0:00 [X <defunct>]
root 984 0.0 0.0 0 0 ? Z Feb22 0:00 [gdm <defunct>]
root 8091 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8092 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8093 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8094 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8095 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8096 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8097 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8098 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8099 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 8100 0.0 0.2 1372 636 ? S Feb23 0:00 in.identd -e -o
root 16251 0.0 0.4 2124 1160 ? S Mar03 0:00 sendmail:
accepti
root 3849 0.0 0.5 2784 1468 ? S 10:30 0:00
/usr/local/sbin/s
root 3945 0.0 0.3 2060 916 pts/0 S 10:50 0:00 su root
root 3946 0.0 0.3 1776 1008 pts/0 S 10:50 0:00 bash
root 4232 0.0 0.5 2784 1468 ? S 11:40 0:00
/usr/local/sbin/s
Feb 22 was probably the last cold boot.
What's that last entry? I wasn't in that directory today.
>My suggestion is to get a copy of chkrootkit, compile it, su to root,
>and run it. It checks for the presence of most, if not all, of the
>currently active rootkits.
Thanks, Michael. I did that. It looks like all is well <sigh*> It did kick
this one thing back:
>>>
Checking `z2'... lastlog entry may be corrupted
<<<
How do I check on that? Also, if they *did* log on as root, *how* did they
get my passwd and *why* were they unable to do damage?
TIA,
BenO
> >> >>Is anyone else aware of any rootkits that point the physical tty's at
> >> >>something virtual?
> >> >
> >> >What do you mean by this question?
> >>
> >>*blink*
> >
> >?
> >
> >
> >
> >
> >>_______________________________________________
> >>Redhat-list mailing list
> >>[EMAIL PROTECTED]
> >>https://listman.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> >_______________________________________________
> >Redhat-list mailing list
> >[EMAIL PROTECTED]
> >https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
