From owner-freebsd-questions Sat Jun 13 20:24:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10887 for freebsd-questions-outgoing; Sat, 13 Jun 1998 20:24:19 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from hotmail.com (f206.hotmail.com [207.82.251.97]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA10881 for ; Sat, 13 Jun 1998 20:24:12 -0700 (PDT) (envelope-from huang_min@hotmail.com) Received: (qmail 15776 invoked by uid 0); 14 Jun 1998 03:23:42 -0000 Message-ID: <19980614032342.15775.qmail@hotmail.com> Received: from 202.98.36.4 by www.hotmail.com with HTTP; Sat, 13 Jun 1998 20:23:40 PDT X-Originating-IP: [202.98.36.4] From: "Min Huang" To: questions@FreeBSD.ORG Subject: Re: How to kick this user out? continue Content-Type: text/plain Date: Sat, 13 Jun 1998 20:23:40 PDT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please reply to huang_min@hotmail.com, I'm not in this list. Thanks! >From robert@chalmers.com.au Sat Jun 13 18:40:10 1998 >Received: from chalmers.com.au (carbon.chalmers.com.au [203.1.96.26]) > by nanguo.chalmers.com.au (8.8.8/8.8.8) with ESMTP id LAA25305 > for ; Sun, 14 Jun 1998 11:39:40 +1000 >Hi there, > > try 'ls -l /dev/ttyS4' and see what the permissions are. I remember it's "c--------- 1 bbs tty" > > Is ttyS4 a dial in line on your system? No, it's not. > > You could try setting the permissions so it can't be used, and see what >happens? Acturelly, at that time, I deleted /dev/ttyS4, then I used "who", the result is same. How can "who" show a user using a none exist tty ? Then I used "MAKEDEV" to recover the ttyS4. Some time passed, the user lost. >Are you sure it's not something in your own system? Perhaps in /etc/ttys? What do you mean? Will anything special with ttys?? > >Regards >Robert > >Min Huang wrote: >> >> Hi,sir, >> >> Actually, I have not found the process the user run, and the user >> is idle, there's no package transfered between the user's original >> IP and my machine. Strange! Any suggestions? >> >> Huang Min >> >> >From robert@chalmers.com.au Thu Jun 11 00:15:13 1998 >> >Received: from chalmers.com.au (carbon.chalmers.com.au [203.1.96.26]) >> > by nanguo.chalmers.com.au (8.8.8/8.8.8) with ESMTP id RAA09824 >> > for ; Thu, 11 Jun 1998 17:14:28 +1000 >> >> >Hi, >> >do you have a program called 'tcpdump' on your system? If you enable >> this, you >> >can then watch this port and see exactly what that user is doing. >> tcpdump >> >watches all thraffic through a site, or down to even one port. It is >> very >> >useful for tracking strange users. >> > >> >Is 172.24.13.80 one of your numbers? Or is it a number from outside >> > >> >Have you tried typing >> > 'ps -ax | more' >> > >> >Or better yet, 'ps -t S4' >> >This will show you exactly what processes that user is running. >> > >> >cheers >> >Robert >> > >> > >> >Min Huang wrote: >> >> >> >> Hello,sir, >> >> >> >> Thanks for replying my last mail so quick, I think I've not accounted >> >> my situation clearly. Here is the result. >> >> #who >> >> bbs ttyqe Jun 11 14:10 (10.150.15.10) >> >> bbs ttyqq Jun 11 13:46 (10.150.15.102) >> >> bbs ttyrp Jun 11 14:25 (172.18.32.20) >> >> bbs ttyQo Jun 11 14:03 (10.150.15.58) >> >> bbs ttyS4 Jun 10 18:57 (172.24.13.80) >> >> #w >> >> bbs qe 10.150.15.10 2:10PM 29 bbs h 10.150.15.10 >> >> /dev/ttyqe >> >> bbs qq 10.150.15.102 1:46PM 50 bbs h 10.150.15.102 >> >> /dev/ttyqq >> >> bbs rp 172.18.32.20 2:25PM 15 bbs h 172.18.32.20 >> >> /dev/ttyrp >> >> bbs Qo 10.150.15.58 2:03PM - bbs h 10.150.15.58 >> >> /dev/ttyQo >> >> bbs S4 172.24.13.80 Wed06PM 19:44 - >> >> #ps -U bbs >> >> 697 pj- I 0:03.16 bin/chatd 3 >> >> 26389 qe Is+ 0:00.14 bbs h 10.150.15.10 /dev/ttyqe >> >> 26288 qq Is+ 0:00.13 bbs h 10.150.15.102 /dev/ttyqq >> >> 26447 rp Ss+ 0:00.29 bbs h 172.18.32.20 /dev/ttyrp >> >> 694 Qh- S 0:09.93 bin/chatd 2 >> >> 26352 Qo Ss+ 0:00.32 bbs h 10.150.15.58 /dev/ttyQo >> >> >> >> Note on the user at ttyS4, I don't know what's he doing and how >> >> this situation happen. >> >> Thank you for replying this to huang_min@hotmail.com, I'm not >> >> at this list. >> >> >> >> Huang Min >> >> >> >> ______________________________________________________ >> >> Get Your Private, Free Email at http://www.hotmail.com >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-questions" in the body of the message >> > >> >-- >> > Support Whirled Peas. Business in China? China House >> > robert@chalmers.com.au ph:61 7 49440357 fx:61 7 49578425 >> > China House Uses Webposition to ensure Top Spot in Searches >> > http://www.chalmers.com.au/ChinaHouse/Business/webposition >> > >> >> ______________________________________________________ >> Get Your Private, Free Email at http://www.hotmail.com > >-- > Support Whirled Peas. Business in China? China House > robert@chalmers.com.au ph:61 7 49440357 fx:61 7 49578425 > China House Uses Webposition to ensure Top Spot in Searches > http://www.chalmers.com.au/ChinaHouse/Business/webposition > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message