Re: suspicious lpd started
On February 11, 2003 02:01 pm, Beach, Ken wrote: > From: Bill [mailto:[EMAIL PROTECTED] > > > I just want to add lpd is not listening on any port according to > > lsof or netstat > > > > On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > > > Hi, > > > > > > 3 days after starting my potato system lpd started to run. > > > system started Feb 6 > > > ps output: > > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > > > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 > > > /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? SFeb09 > > > 0:00 /usr/sbin/lpd or > > > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > > > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ > > > /usr/sbin/lpd > > > > > > > > > lpd is not in startup or any cron job. daemon.log is clean > > > with no evidence of it starting. no apparent rootkits, > > > connections, and last/lastlog is clean. How can this happen? > > > Any ideas? I have bind running on port 53 (everything else is > > > filtered) > > > > > > thanks > > I'm sure you've already checked it, because you said it's not any > cron job, but by default lpr is stopped and restarted during log > rotation. The default debian install puts an ldr in cron.weekly. > > Worth a thought anyway... > > Cheers, > Ken Thank you Ken, You were right! I overlooked that lpr file. Sorry for the paranoia.
Re: suspicious lpd started
What is listening on port 514 (netstat -ant)? Jeffrey Quoting Bill <[EMAIL PROTECTED]>: > I just want to add lpd is not listening on any port according to lsof > or netstat > > On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > > Hi, > > > > 3 days after starting my potato system lpd started to run. > > system started Feb 6 > > ps output: > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > > or > > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd > > > > > > lpd is not in startup or any cron job. daemon.log is clean with no > > evidence of it starting. no apparent rootkits, connections, and > > last/lastlog is clean. How can this happen? Any ideas? I have bind > > running on port 53 (everything else is filtered) > > > > thanks > >
Re: suspicious lpd started
Quoting [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Hi, > > 3 days after starting my potato system lpd started to run. > system started Feb 6 > ps output: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > or > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd Notice the little slash widget here ^ This indicates that the second instance was forked by the first (i.e., it is a child of the first). Also the PIDs are very close, indicating that they probably were started at about the same time. A number of daemons will fork, persisently fork, or pre-fork to allow multiple simultaneous connections. This is generally more robust (read easier to get right) than handling multiple connections in one process. The PID is not particularly low (less than 1-2 thousand). This fits in with your statement that lpd was not started at boot. This all looks very normal. Not to guarantee that your box has not been cracked, but this isn't evidence of it. Jeffrey
Re: suspicious lpd started
I just want to add lpd is not listening on any port according to lsof or netstat On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > Hi, > > 3 days after starting my potato system lpd started to run. > system started Feb 6 > ps output: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > or > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd > > > lpd is not in startup or any cron job. daemon.log is clean with no > evidence of it starting. no apparent rootkits, connections, and > last/lastlog is clean. How can this happen? Any ideas? I have bind > running on port 53 (everything else is filtered) > > thanks
Re: suspicious lpd started
On February 11, 2003 02:01 pm, Beach, Ken wrote: > From: Bill [mailto:[EMAIL PROTECTED]] > > > I just want to add lpd is not listening on any port according to > > lsof or netstat > > > > On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > > > Hi, > > > > > > 3 days after starting my potato system lpd started to run. > > > system started Feb 6 > > > ps output: > > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > > > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 > > > /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? SFeb09 > > > 0:00 /usr/sbin/lpd or > > > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > > > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ > > > /usr/sbin/lpd > > > > > > > > > lpd is not in startup or any cron job. daemon.log is clean > > > with no evidence of it starting. no apparent rootkits, > > > connections, and last/lastlog is clean. How can this happen? > > > Any ideas? I have bind running on port 53 (everything else is > > > filtered) > > > > > > thanks > > I'm sure you've already checked it, because you said it's not any > cron job, but by default lpr is stopped and restarted during log > rotation. The default debian install puts an ldr in cron.weekly. > > Worth a thought anyway... > > Cheers, > Ken Thank you Ken, You were right! I overlooked that lpr file. Sorry for the paranoia. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
suspicious lpd started
Hi, 3 days after starting my potato system lpd started to run. system started Feb 6 ps output: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd or root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd lpd is not in startup or any cron job. daemon.log is clean with no evidence of it starting. no apparent rootkits, connections, and last/lastlog is clean. How can this happen? Any ideas? I have bind running on port 53 (everything else is filtered) thanks
Re: suspicious lpd started
What is listening on port 514 (netstat -ant)? Jeffrey Quoting Bill <[EMAIL PROTECTED]>: > I just want to add lpd is not listening on any port according to lsof > or netstat > > On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > > Hi, > > > > 3 days after starting my potato system lpd started to run. > > system started Feb 6 > > ps output: > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > > or > > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd > > > > > > lpd is not in startup or any cron job. daemon.log is clean with no > > evidence of it starting. no apparent rootkits, connections, and > > last/lastlog is clean. How can this happen? Any ideas? I have bind > > running on port 53 (everything else is filtered) > > > > thanks > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suspicious lpd started
Quoting [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Hi, > > 3 days after starting my potato system lpd started to run. > system started Feb 6 > ps output: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > or > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd Notice the little slash widget here ^ This indicates that the second instance was forked by the first (i.e., it is a child of the first). Also the PIDs are very close, indicating that they probably were started at about the same time. A number of daemons will fork, persisently fork, or pre-fork to allow multiple simultaneous connections. This is generally more robust (read easier to get right) than handling multiple connections in one process. The PID is not particularly low (less than 1-2 thousand). This fits in with your statement that lpd was not started at boot. This all looks very normal. Not to guarantee that your box has not been cracked, but this isn't evidence of it. Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suspicious lpd started
I just want to add lpd is not listening on any port according to lsof or netstat On February 11, 2003 11:57 am, [EMAIL PROTECTED] wrote: > Hi, > > 3 days after starting my potato system lpd started to run. > system started Feb 6 > ps output: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd > or > root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd > root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd > > > lpd is not in startup or any cron job. daemon.log is clean with no > evidence of it starting. no apparent rootkits, connections, and > last/lastlog is clean. How can this happen? Any ideas? I have bind > running on port 53 (everything else is filtered) > > thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
suspicious lpd started
Hi, 3 days after starting my potato system lpd started to run. system started Feb 6 ps output: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 6833 0.0 1.3 1052 412 ? SFeb09 0:00 /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? SFeb09 0:00 /usr/sbin/lpd or root 6833 0.0 1.3 1052 412 ? S Feb09 0:00 /usr/sbin/lpd root 6836 0.0 1.5 1076 468 ? S Feb09 0:00 \_ /usr/sbin/lpd lpd is not in startup or any cron job. daemon.log is clean with no evidence of it starting. no apparent rootkits, connections, and last/lastlog is clean. How can this happen? Any ideas? I have bind running on port 53 (everything else is filtered) thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[francois@tourde.org (François TOURDE)] Re: securing pop3
Oops, sorry, first post in a bad list. Here's the correct one... --- Begin Message --- "Janus N." Tøndering <[EMAIL PROTECTED]> writes: > Both /bin/false and /bin/true has been suggested. Any difference in > using the two? Yes. /bin/true allow a ftp account, /bin/false no. It's an old style ftpaccess technique, but still running. -- Graduate students and most professors are no smarter than undergrads. They're just older. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ --- End Message --- -- "Maybe we should think of this as one perfect week... where we found each other, and loved each other... and then let each other go before anyone had to seek professional help." -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
[francois@tourde.org (François TOURDE)] Re: securing pop3
Oops, sorry, first post in a bad list. Here's the correct one... --- Begin Message --- "Janus N." Tøndering <[EMAIL PROTECTED]> writes: > Both /bin/false and /bin/true has been suggested. Any difference in > using the two? Yes. /bin/true allow a ftp account, /bin/false no. It's an old style ftpaccess technique, but still running. -- Graduate students and most professors are no smarter than undergrads. They're just older. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ --- End Message --- -- "Maybe we should think of this as one perfect week... where we found each other, and loved each other... and then let each other go before anyone had to seek professional help." -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Unsubscribe
Unsubscribe
