From owner-freebsd-questions Sat Jun 13 08:57:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02670 for freebsd-questions-outgoing; Sat, 13 Jun 1998 08:57:35 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from hotmail.com (f114.hotmail.com [207.82.251.42]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA02639 for ; Sat, 13 Jun 1998 08:56:52 -0700 (PDT) (envelope-from huang_min@hotmail.com) Received: (qmail 12702 invoked by uid 0); 13 Jun 1998 15:56:23 -0000 Message-ID: <19980613155623.12701.qmail@hotmail.com> Received: from 202.98.33.52 by www.hotmail.com with HTTP; Sat, 13 Jun 1998 08:56:21 PDT X-Originating-IP: [202.98.33.52] From: "Min Huang" To: robert@chalmers.com.au Cc: questions@FreeBSD.ORG Subject: Re: How to kick this user out? continue Content-Type: text/plain Date: Sat, 13 Jun 1998 08:56:21 PDT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi,sir, Actually, I have not found the process the user run, and the user is idle, there's no package transfered between the user's original IP and my machine. Strange! Any suggestions? Huang Min >From robert@chalmers.com.au Thu Jun 11 00:15:13 1998 >Received: from chalmers.com.au (carbon.chalmers.com.au [203.1.96.26]) > by nanguo.chalmers.com.au (8.8.8/8.8.8) with ESMTP id RAA09824 > for ; Thu, 11 Jun 1998 17:14:28 +1000 >Hi, >do you have a program called 'tcpdump' on your system? If you enable this, you >can then watch this port and see exactly what that user is doing. tcpdump >watches all thraffic through a site, or down to even one port. It is very >useful for tracking strange users. > >Is 172.24.13.80 one of your numbers? Or is it a number from outside > >Have you tried typing > 'ps -ax | more' > >Or better yet, 'ps -t S4' >This will show you exactly what processes that user is running. > >cheers >Robert > > >Min Huang wrote: >> >> Hello,sir, >> >> Thanks for replying my last mail so quick, I think I've not accounted >> my situation clearly. Here is the result. >> #who >> bbs ttyqe Jun 11 14:10 (10.150.15.10) >> bbs ttyqq Jun 11 13:46 (10.150.15.102) >> bbs ttyrp Jun 11 14:25 (172.18.32.20) >> bbs ttyQo Jun 11 14:03 (10.150.15.58) >> bbs ttyS4 Jun 10 18:57 (172.24.13.80) >> #w >> bbs qe 10.150.15.10 2:10PM 29 bbs h 10.150.15.10 >> /dev/ttyqe >> bbs qq 10.150.15.102 1:46PM 50 bbs h 10.150.15.102 >> /dev/ttyqq >> bbs rp 172.18.32.20 2:25PM 15 bbs h 172.18.32.20 >> /dev/ttyrp >> bbs Qo 10.150.15.58 2:03PM - bbs h 10.150.15.58 >> /dev/ttyQo >> bbs S4 172.24.13.80 Wed06PM 19:44 - >> #ps -U bbs >> 697 pj- I 0:03.16 bin/chatd 3 >> 26389 qe Is+ 0:00.14 bbs h 10.150.15.10 /dev/ttyqe >> 26288 qq Is+ 0:00.13 bbs h 10.150.15.102 /dev/ttyqq >> 26447 rp Ss+ 0:00.29 bbs h 172.18.32.20 /dev/ttyrp >> 694 Qh- S 0:09.93 bin/chatd 2 >> 26352 Qo Ss+ 0:00.32 bbs h 10.150.15.58 /dev/ttyQo >> >> Note on the user at ttyS4, I don't know what's he doing and how >> this situation happen. >> Thank you for replying this to huang_min@hotmail.com, I'm not >> at this list. >> >> Huang Min >> >> ______________________________________________________ >> Get Your Private, Free Email at http://www.hotmail.com >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message > >-- > Support Whirled Peas. Business in China? China House > robert@chalmers.com.au ph:61 7 49440357 fx:61 7 49578425 > China House Uses Webposition to ensure Top Spot in Searches > http://www.chalmers.com.au/ChinaHouse/Business/webposition > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message