[NTLUG:Discuss] Have I been Hacked?
Chris Cox
cjcox at acm.org
Mon Apr 1 16:52:59 CST 2002
Jason Ferguson wrote:
>So, Im sitting at my system before heading to work this morning and for
>some reason, the hard drive is running (and all Im doing is looking at a
>website). So, either konqueror has a nasty memory leak (wouldnt suprise
>me) or something weird is going on.
>
Nothing weird.. unless you consider vixie cron weird.
>
>A top showed that "find" was running, which seemed odd. A "ps ax" showed
>several things that may or may not have been legit, but two things
>jumped out at me:
>
>
>13485 ? S 0:00 /USR/SBIN/CRON
>21211 ? R 0:00 find / -xdev ( -false ) -prune -o ( -type f
>-perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
>%8i %5m %3n %-10u %-10g %9s %t %h/%f?n
>
>The first one: why the capital letters? Never seen them before.
>The second: wtf is this command trying to do?
>
>I suspect I opened a hole last week by opening the Xwindows ports so I
>could do a xhost +localhost to let root run applications. But, I a quick
>check of some of the programs that a rootkit would replace: ie ps and
>netstat, and they arent small (ps is about 58k and netstat is nearly
>87k).
>
In vixie cron you'll see directories called /etc/cron.daily
/etc/cron.weekly /etc/cron.hourly
which contain scripts to execute at those intervals. The script is
some kind of skulking
or updatedb style script. I don't think you have been hacked (at least
not yet).
More information about the Discuss
mailing list