From owner-freebsd-security Mon May 5 23:48:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA20183 for security-outgoing; Mon, 5 May 1997 23:48:19 -0700 (PDT) Received: from pc-pvl.nanoteq.co.za (pc-pvl.nanoteq.co.za [163.195.219.103]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA20176 for ; Mon, 5 May 1997 23:48:08 -0700 (PDT) Received: from pc-pvl.nanoteq.co.za (localhost.nanoteq.co.za [127.0.0.1]) by pc-pvl.nanoteq.co.za (8.8.5/8.8.5) with ESMTP id IAA13502; Tue, 6 May 1997 08:47:33 GMT Message-Id: <199705060847.IAA13502@pc-pvl.nanoteq.co.za> To: Alex Povolotsky cc: security@FreeBSD.ORG Subject: Re: User since epoch??? In-reply-to: Your message of "Mon, 05 May 1997 22:19:30 +0400." <199705051819.WAA09603@asteroid.intermedia.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 06 May 1997 08:47:33 +0000 From: Pierre-Andre van Leeuwen Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I've just noticed WERY strange output from w: > > asteroid#/var/log/squid 202_> w > 10:18PM up 12:11, 7 users, load averages: 0.96, 1.23, 1.26 > USER TTY FROM LOGIN@ IDLE WHAT > root v1 - 1:33PM 8:43 xinit /root/.xinitrc -- /root/.xser > root p0 :0.0 5:29PM 2 irc NiteWalk irc.voicenet.com (irc- > root p1 :0.0 1:39PM 3:23 -tcsh (tcsh) > root p2 :0.0 5:38PM 1 -tcsh (tcsh) > tarkhil p3 :0.0 8:45PM 2 tin > root p4 :0.0 7:20PM - w > 5 - 01Jan70 7:48 - > > User "5" doesn't exists in /etc/passwd, nor UID 5. It doesn't have any > processes. It looks VERY much like intrusion, but I just can't understand how > can it be :-E I had more or less the same problem in X. In my case, no user other than root would show up when I run who. This happened no matter how many xterms the user had open. I did a manual reinstall of X by running the preinstall script (preinst.sh), untarring the dist and then running postinst.sh. That solved the problem for me. I recreated the problem by untarring the distribution without running the scripts, so I think that is probably what happened to you too. Maybe sysinstall stopped before running the postinst.sh script ? (I haven't had a look at the scripts though -- no time :) ) -- Pierre-Andre van Leeuwen Electronic Engineer Powered By FreeBSD ******************************** * Nanoteq (Pty) Ltd. * * Specialists in data security * * E-mail : pvl@nanoteq.com * * Ph : +27 (0)12 665-1338 * * http://www.nanoteq.co.za * ********************************