From owner-freebsd-questions Sat Sep 9 3: 9:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id 58D3337B50C for ; Sat, 9 Sep 2000 03:09:48 -0700 (PDT) Received: from earthlink.net (user-v3qs3pk.dsl.mindspring.com [199.174.15.52]) by gull.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id DAA22201 for ; Sat, 9 Sep 2000 03:06:26 -0700 (PDT) Message-ID: <39BA0BE6.C49E2FE3@earthlink.net> Date: Sat, 09 Sep 2000 05:07:34 -0500 From: Scott X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 4.0-RELEASE i386) MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Subject: Has my box been compromised? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I was surfing on my dsl line (dynamic ip) a few minutes ago and noticed my hard drive was churning even though I wasn't doing much. I ran top and saw several processes being run by user 'nobody' such as find, locate.proxxx (?can't remember), and several 'sh'. I immediately killed ppp, and then the 'nobody' processes but many of the processes had already died after I killed the ppp connection. Did someone break in or is freebsd doing something behind the scenes as 'nobody'? -- Scott Dubose Houston, TX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message