[NTLUG:Discuss] Have I been Hacked?
Bug Hunter
bughuntr at one.ctelcom.net
Tue Apr 2 08:51:09 CST 2002
oops! the perm part is the kicker.
there is a program that watches files for changes. it may be that
program running to see what files have changed.
On Tue, 2 Apr 2002, Bug Hunter wrote:
>
>
> On Tue, 2 Apr 2002, david ross wrote:
>
> > I use a program called "chkrootkit" i keep it on a floppy and run it
> > weekly.My cron also runs the HD pretty hard,but i have no clue why.
> >
> >
> >
> >
> >
> > On Monday 01 April 2002 07:53 am, you wrote:
> > > So, Im sitting at my system before heading to work this morning and for
> > > some reason, the hard drive is running (and all Im doing is looking at a
> > > website). So, either konqueror has a nasty memory leak (wouldnt suprise
> > > me) or something weird is going on.
> > >
> > > A top showed that "find" was running, which seemed odd. A "ps ax" showed
> > > several things that may or may not have been legit, but two things
> > > jumped out at me:
> > >
> > >
> > > 13485 ? S 0:00 /USR/SBIN/CRON
> > > 21211 ? R 0:00 find / -xdev ( -false ) -prune -o ( -type f
> > > -perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
> > > %8i %5m %3n %-10u %-10g %9s %t %h/%f?n
> > >
> > > The first one: why the capital letters? Never seen them before.
> > > The second: wtf is this command trying to do?
>
> assuming it is legit, this is the updatedb progrm running overnight to
> update the "locate" command's database.
>
> man locate
More information about the Discuss
mailing list