At 09:56 PM 10/17/01 -0400, you wrote: >"Brian Rahill" <[EMAIL PROTECTED]> wrote: > > I realize that CGI's run as the user but before the past few days I've >only > > seen one user via top. It's just in the past few days that I've seen > > this. > >Coincidence? Are you monitoring the system processes more now? Are your >users running more CGIs now and/or getting more traffic on their CGI web >pages?
Thanks for the response Steve. You are always right on the money. Perhaps this is a coincidence but I don't think so. While CGI's run with the permissions of the username in a cgi wrapped environment I don't believe that they show up as a user via the "top" command. I've got some cgi's that take about 20 seconds to completely execute and never show a user via "top". >I don't see any other regular users. Nothing unusual. If you notice >something unusual perhaps you can look at the output of "ps aux" (or similar >flags while running ps) to get more detail, but until another regular user >appears I wouldn't be concerned. And I'd only be concerned after I knew >what they were doing. If the command showed as "imapd" for example then >they're just accessing their email through IMAP. Perhaps you gave some of >that detail earlier, but I don't recall. Yes I've done a "ps aux" and have seen nothing unusual. Also, I'm 90% sure that IMAP users don't show up as users via "top" Only thing I can think of is that I've got some chilisoft ASP pages calling a MySQL database. Perhaps that is causing the extra user. I've basically quit worrying about it. It did run through my mind that a sloppy hacker replaced the ps and w binaries to hide traces of him/herself but forgot top. Probably pretty unlikely. Guess maybe I can start sleeping again....Once it hits about 5am here I'm going to reboot the server and see if the user comes back immediately. Brian _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
