From owner-freebsd-security Tue Jun 29 17:19:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (d066.paris-81.cybercable.fr [212.198.81.66]) by hub.freebsd.org (Postfix) with ESMTP id 0026515384 for ; Tue, 29 Jun 1999 17:19:13 -0700 (PDT) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.9.3/8.9.3/pb-19990315) id CAA20264; Wed, 30 Jun 1999 02:19:09 +0200 (CEST) Message-ID: <19990630021908.A20109@fasterix.frmug.fr.net> Date: Wed, 30 Jun 1999 02:19:08 +0200 From: Pierre Beyssac To: "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process References: <19990629130132.96757.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.8i In-Reply-To: <19990629130132.96757.qmail@hotmail.com>; from N.N.M on Tue, Jun 29, 1999 at 06:01:32AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 29, 1999 at 06:01:32AM -0700, N.N.M wrote: > Any knows what the following process can mean? > > login -p zzzzzzzz Looks like a login process exec'd by getty. getty reads the username itself, then starts login with option -p. Subsequent password:/login: prompts are then handled by login until it quits. telnetd does more or less the same but adds a "-h remotehostname", so it doesn't look like a remote attack. If it's indeed exec'd from getty, its parent pid should be 1 (init) and it should be attached to some tty on the machine for which a getty is spawned by /etc/ttys. As already answered, it's probably a stuck key. It might be started by something else, but I'm out of imagination now. If it's not started by anything familiar, then you can start worrying. -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org {Free,Net,Open}BSD, Linux : il y a moins bien, mais c'est plus cher Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message