From owner-freebsd-questions Sat Sep 9 4:27:42 2000 Delivered-To: freebsd-questions@freebsd.org Received: from rush.telenordia.se (mail.telenordia.se [194.213.64.42]) by hub.freebsd.org (Postfix) with SMTP id D18E037B422 for ; Sat, 9 Sep 2000 04:27:34 -0700 (PDT) Received: (qmail 10998 invoked from network); 9 Sep 2000 13:27:33 +0200 Received: from bb-62-5-4-193.bb.tninet.se (HELO marbsd.tninet.se) (62.5.4.193) by mail.telenordia.se with SMTP; 9 Sep 2000 13:27:33 +0200 From: Mark Rowlands Reply-To: mark.rowlands@minmail.net To: Scott , freebsd-questions@FreeBSD.ORG Subject: Re: Has my box been compromised? Date: Sat, 9 Sep 2000 13:24:43 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: <39BA0BE6.C49E2FE3@earthlink.net> In-Reply-To: <39BA0BE6.C49E2FE3@earthlink.net> MIME-Version: 1.0 Message-Id: <00090913273200.42178@marbsd.tninet.se> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 09 Sep 2000, Scott wrote: > Hello, > > I was surfing on my dsl line (dynamic ip) a few minutes ago and noticed > my hard drive > was churning even though I wasn't doing much. I ran top and saw several > processes being run by user 'nobody' such as find, locate.proxxx (?can't > remember), and several 'sh'. I immediately killed ppp, and then the > 'nobody' > processes but many of the processes had already died after I killed the > ppp > connection. Did someone break in or is freebsd doing something behind > the > scenes as 'nobody'? > > -- > Scott Dubose > Houston, TX I think you may find you have been have compromised by the evil BSD Daemon running locate.updatedb, df-ing your file systems, checking for suid binaries and other jolly activities and mailing you well root at any rate, the results of his industry Mark Rowlands +4686224510 GMT + 1 _______________________________________________ These opinions are mine, they are just opinions you are free to disagree, please do so quietly _______________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message