From owner-freebsd-security  Mon May  5 12:00:58 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA12286
          for security-outgoing; Mon, 5 May 1997 12:00:58 -0700 (PDT)
Received: from thermohaline.csc.ncsu.edu (thermohaline.csc.ncsu.edu [152.1.57.31])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA12276
          for <security@FreeBSD.ORG>; Mon, 5 May 1997 12:00:52 -0700 (PDT)
Received: by thermohaline.csc.ncsu.edu (5.65/Eos/C-U-09Sep93)
	id AA05131; Mon, 5 May 1997 15:00:21 -0400
Message-Id: <9705051900.AA05131@thermohaline.csc.ncsu.edu>
Subject: Re: User since epoch???
To: root@asteroid.intermedia.ru (Alex Povolotsky)
Date: Mon, 5 May 1997 15:00:20 -0400 (EDT)
Cc: security@FreeBSD.ORG
In-Reply-To: <199705051819.WAA09603@asteroid.intermedia.ru> from "Alex Povolotsky" at May 5, 97 10:19:30 pm
Reply-To: nsj@ncsu.edu
From: nsj@ncsu.edu (Nate Johnson)
X-Mailer: ELM [version 2.4 PL24/POP]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

%asteroid#/var/log/squid 202_> w
%10:18PM  up 12:11, 7 users, load averages: 0.96, 1.23, 1.26
%USER     TTY FROM              LOGIN@  IDLE WHAT
%root     v1  -                 1:33PM  8:43 xinit /root/.xinitrc -- /root/.xser
%root     p0  :0.0              5:29PM     2 irc NiteWalk irc.voicenet.com (irc-
%root     p1  :0.0              1:39PM  3:23 -tcsh (tcsh)
%root     p2  :0.0              5:38PM     1 -tcsh (tcsh)
%tarkhil  p3  :0.0              8:45PM     2 tin
%root     p4  :0.0              7:20PM     - w
%5            -                01Jan70  7:48 -
%
%User "5" doesn't exists in /etc/passwd, nor UID 5. It doesn't have any 
%processes. It looks VERY much like intrusion, but I just can't understand how 
%can it be :-E
%
%FreeBSD-2.2.1-Release.

I was experiencing very similar problems.  As a matter of fact, I would also
have "users" with ids of "ttypf" and other various oddities.

The rumor is that if you grab the latest and greatest copy of XF86, this should
clear it up.  (Note that the problem doesn't, or shouldn't, show up when you're
not in X).

Cheers,
nsj

--
Nate Johnson / nsj@ncsu.edu / nsj@catt.ncsu.edu / nsj@FreeBSD.org
Head Systems Administrator, Computer and Technologies Theme Program
North Carolina State University, Raleigh, North Carolina