From owner-freebsd-security Mon May 5 11:15:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA10066 for security-outgoing; Mon, 5 May 1997 11:15:04 -0700 (PDT) Received: from asteroid.intermedia.ru ([194.85.158.35]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA10052 for ; Mon, 5 May 1997 11:14:57 -0700 (PDT) Received: from asteroid.intermedia.ru (localhost.intermedia.ru [127.0.0.1]) by asteroid.intermedia.ru (8.8.5/8.8.5) with ESMTP id WAA09603 for ; Mon, 5 May 1997 22:19:32 +0400 (MSD) Message-Id: <199705051819.WAA09603@asteroid.intermedia.ru> X-Mailer: exmh version 2.0gamma 1/27/96 To: security@freebsd.org Subject: User since epoch??? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 May 1997 22:19:30 +0400 From: Alex Povolotsky Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've just noticed WERY strange output from w: asteroid#/var/log/squid 202_> w 10:18PM up 12:11, 7 users, load averages: 0.96, 1.23, 1.26 USER TTY FROM LOGIN@ IDLE WHAT root v1 - 1:33PM 8:43 xinit /root/.xinitrc -- /root/.xser root p0 :0.0 5:29PM 2 irc NiteWalk irc.voicenet.com (irc- root p1 :0.0 1:39PM 3:23 -tcsh (tcsh) root p2 :0.0 5:38PM 1 -tcsh (tcsh) tarkhil p3 :0.0 8:45PM 2 tin root p4 :0.0 7:20PM - w 5 - 01Jan70 7:48 - User "5" doesn't exists in /etc/passwd, nor UID 5. It doesn't have any processes. It looks VERY much like intrusion, but I just can't understand how can it be :-E FreeBSD-2.2.1-Release. Alex.