Re: [expert] A time problem with ps?...
On Thu, 23 May 2002 20:52:38 -0700 James <[EMAIL PROTECTED]> wrote: > As a routine, there is a program called chkrootkit available at > http://www.chkrootkit.org/ It does a check for know root kits lastlog > deletions, strings replacement and more right now the list of > rootkits/worms is about 30 so it's a pretty current program. Like > anything else it's not a cure all but every tool helps and it runs > fast. I've got it on a daily cron job on mine. > > James Opps one point I forgot if you are going to use it use the -q (quiet only outputs if a problem) and then copy these files (from a known good source) into a hidden directory. egrep, find, head, id, ls, netstat, ps, strings, sed, uname awk cut echo and ps and use the -p option to tell it to use only these files. That way it doesn't use ones that may be compromised already. James > > > On Thu, 23 May 2002 17:50:37 -0600 > FemmeFatale <[EMAIL PROTECTED]> wrote: > > > [EMAIL PROTECTED] wrote: > > > > > > >> > > > I can't address the rest but I do know some stuff about cracking > > > *don't ask, and if you must ask do so pvtly*. I know that the > > > first utils a cracker will replace/redo/delete/alter are: > > > > > > ps/ls/time/cp/rm > > > > > > those are fairly standard, and yes generating phony logs isn't > > > hard. Rootkits are widely available to do so with. Need proof, > > > I'll get you URLs pvtly. > > > > > > If you want some decent info on this subject with a very legal > > > bent, try www.sec33.com. > > > -- > > > Femme > > > >> > > > > > > Add netstat to the short list of favorite utilities to change. > > > I have also, unfortunately (!) gathered some first-hand info > > > about the techniques used... I will check my crucial binaries > > > against the CD ones tonight, it maybe that the md5sums I have > > > were done on already-compromised binaries... > > > > > > Thanks for your time, > > > > > > Serge Pineault > > > > > > > *nods* Ty I did forget that one. I hope you haven't been hacked, and > > doubt it highly in fact. > > > > However in case you have been you have my sympathies & may wish to > > check that site I mentioned as it has tons of info on security too. > > > > -- > > Femme > > > > Good Decisions You boss Made: > > > > "We'll do as you suggest and go with Linux. I've always liked that > > character from Peanuts." > > > > - Source: Dilbert > > > > > > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
As a routine, there is a program called chkrootkit available at http://www.chkrootkit.org/ It does a check for know root kits lastlog deletions, strings replacement and more right now the list of rootkits/worms is about 30 so it's a pretty current program. Like anything else it's not a cure all but every tool helps and it runs fast. I've got it on a daily cron job on mine. James On Thu, 23 May 2002 17:50:37 -0600 FemmeFatale <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > > > >> > > I can't address the rest but I do know some stuff about cracking > > *don't ask, and if you must ask do so pvtly*. I know that the first > > utils a cracker will replace/redo/delete/alter are: > > > > ps/ls/time/cp/rm > > > > those are fairly standard, and yes generating phony logs isn't hard. > > Rootkits are widely available to do so with. Need proof, I'll get > > you URLs pvtly. > > > > If you want some decent info on this subject with a very legal bent, > > try www.sec33.com. > > -- > > Femme > > >> > > > > Add netstat to the short list of favorite utilities to change. > > I have also, unfortunately (!) gathered some first-hand info > > about the techniques used... I will check my crucial binaries > > against the CD ones tonight, it maybe that the md5sums I have > > were done on already-compromised binaries... > > > > Thanks for your time, > > > > Serge Pineault > > > > *nods* Ty I did forget that one. I hope you haven't been hacked, and > doubt it highly in fact. > > However in case you have been you have my sympathies & may wish to > check that site I mentioned as it has tons of info on security too. > > -- > Femme > > Good Decisions You boss Made: > > "We'll do as you suggest and go with Linux. I've always liked that > character from Peanuts." > > - Source: Dilbert > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
[EMAIL PROTECTED] wrote: > > >> > I can't address the rest but I do know some stuff about cracking *don't > ask, and if you must ask do so pvtly*. I know that the first utils a > cracker will replace/redo/delete/alter are: > > ps/ls/time/cp/rm > > those are fairly standard, and yes generating phony logs isn't hard. > Rootkits are widely available to do so with. Need proof, I'll get you > URLs pvtly. > > If you want some decent info on this subject with a very legal bent, try > www.sec33.com. > -- > Femme > >> > > Add netstat to the short list of favorite utilities to change. > I have also, unfortunately (!) gathered some first-hand info > about the techniques used... I will check my crucial binaries > against the CD ones tonight, it maybe that the md5sums I have > were done on already-compromised binaries... > > Thanks for your time, > > Serge Pineault > *nods* Ty I did forget that one. I hope you haven't been hacked, and doubt it highly in fact. However in case you have been you have my sympathies & may wish to check that site I mentioned as it has tons of info on security too. -- Femme Good Decisions You boss Made: "We'll do as you suggest and go with Linux. I've always liked that character from Peanuts." - Source: Dilbert Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
>> I can't address the rest but I do know some stuff about cracking *don't ask, and if you must ask do so pvtly*. I know that the first utils a cracker will replace/redo/delete/alter are: ps/ls/time/cp/rm those are fairly standard, and yes generating phony logs isn't hard. Rootkits are widely available to do so with. Need proof, I'll get you URLs pvtly. If you want some decent info on this subject with a very legal bent, try www.sec33.com. -- Femme >> Add netstat to the short list of favorite utilities to change. I have also, unfortunately (!) gathered some first-hand info about the techniques used... I will check my crucial binaries against the CD ones tonight, it maybe that the md5sums I have were done on already-compromised binaries... Thanks for your time, Serge Pineault Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
"H.J.Bathoorn" wrote: > > > > Anyhow here is an excerpt from /var/log/syslog from boot time to shutdown > > time on May 20. I also include /etc/crontab and a listing of the /etc/cron* > > directories in case they are relevant. Reminder: I am running LM 7.2. > > I asked because a reboot would be shown in syslog but your's doesn't so you > probably didn't. You knew that, right?:o) > > Strange though that there isn't anything at all being logged around 16.45. > > What did catch my eye was the comment at 16.20.12 with the EXT2 warning. > A partition or filesystem is being mounted (and not for the first time) but > ps doesn't show anything around that time. > > As you stated you have been cracked before, one might think you still are or > have some remnants still in your system. > > I'm no expert on cracking but it would seem to be my first priority (after > breaking in) as a cracker, to cover-up my presence by generating phony system > and log files. > > Maybe somebody else has some pointers on that. > > good luck, > > Harm. I can't address the rest but I do know some stuff about cracking *don't ask, and if you must ask do so pvtly*. I know that the first utils a cracker will replace/redo/delete/alter are: ps/ls/time/cp/rm those are fairly standard, and yes generating phony logs isn't hard. Rootkits are widely available to do so with. Need proof, I'll get you URLs pvtly. If you want some decent info on this subject with a very legal bent, try www.sec33.com. -- Femme Good Decisions You boss Made: "We'll do as you suggest and go with Linux. I've always liked that character from Peanuts." - Source: Dilbert Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
On Wednesday 22 May 2002 18:21, you wrote: > >Could the machine have powered down or been suspended due to energy-saving > >settings? > > > >Anyway what does /var/log/syslog have to say round about 16.45 and the > >original boot-time? > > > >Good luck, > >Harm > > Hi: > > Powering down would cause the machine to reboot, would it not? And that > obviously did not occur as new terminal windows which I opened just after > booting have been there all the time until shutdown (these windows are > not automatically opened, I do this manually after boot). I asked because I noticed that with LM8.2 my intel mobo lost track of correct time when it suspended. Disabling the powersavings-options in the bios and ntpd got all that right though. The machine can really go to sleep though without needing a reboot to power up again (I think, I never leave it alone long enough;o) > As for energy-saving, I have a regular PC, not a laptop, so I would > guess this would not be involved? I do have a KDE screensaver > active but I am certain this can be dismissed. Take a look at KDE-controlcenter -energy- You might be surprised. > > Anyhow here is an excerpt from /var/log/syslog from boot time to shutdown > time on May 20. I also include /etc/crontab and a listing of the /etc/cron* > directories in case they are relevant. Reminder: I am running LM 7.2. I asked because a reboot would be shown in syslog but your's doesn't so you probably didn't. You knew that, right?:o) Strange though that there isn't anything at all being logged around 16.45. What did catch my eye was the comment at 16.20.12 with the EXT2 warning. A partition or filesystem is being mounted (and not for the first time) but ps doesn't show anything around that time. As you stated you have been cracked before, one might think you still are or have some remnants still in your system. I'm no expert on cracking but it would seem to be my first priority (after breaking in) as a cracker, to cover-up my presence by generating phony system and log files. Maybe somebody else has some pointers on that. good luck, Harm. > > To recap: booting was at 15:55, the command "ps -auxw" run at 16:31 > gave all START column values (without exception) at around 15:55 > (which is of course fine). However, the same command run at 19:50 > showed all values had jumped to around 16:46. It seems > the only things of interest around that time are rmmod commands run > from cron. Why the system would want to remove modules every > 10 minutes is beyond me and, I would guess, unrelated to the > "glitches" in START times shown by "ps -auxw", but who knows... > No more glitches were observed until shutdown around 21:21. > > This glitching is reproducible: I observed the same thing yesterday > (May 21) [boot at 16:39 -- then "ps -auxw" at 20:42 shows all START values > jumped to around 19:03]. > > INCIDENTALLY, and this may (?) be relevant to this "book-keeping" problem, > while going over yesterday's logs, I noticed that the order of > the boot log entries was not strictly chronological: there were many > entries at 16:41 FOLLOWED by entries logged with a time of 16:39. > > ADDITIONAL NOTE: you may notice > numerous "modprobe: Can't locate" lines (char-major, binfmt, > sound-service, sound-slot ...) in the log file which do not seem to > have unwanted consequences, however anybody feel free to tell me how these > can be fixed! > > Thanks all for your time, > > Serge Pineault > > * > * Here are parts of the /var/log/syslog file > * > > > May 20 15:55:56 dhcp-53-79 syslogd 1.4-0: restart. > May 20 15:55:57 dhcp-53-79 syslog: syslogd startup succeeded > May 20 15:55:57 dhcp-53-79 syslog: klogd startup succeeded > May 20 15:55:57 dhcp-53-79 kernel: klogd 1.4-0, log source = /proc/kmsg > started. May 20 15:55:57 dhcp-53-79 kernel: Loaded 7650 symbols from > /boot/System.map-2.2.17-21mdk. May 20 15:55:57 dhcp-53-79 kernel: Symbols > match kernel version 2.2.17. May 20 15:55:57 dhcp-53-79 kernel: Loaded 10 > symbols from 2 modules. May 20 15:55:57 dhcp-53-79 kernel: Linux version > 2.2.17-21mdk ([EMAIL PROTECTED]) (gcc version 2.95.3 19991030 > (prerelease)) #1 Thu Oct 5 13:16:08 CEST 2000 May 20 15:55:57 dhcp-53-79 > kernel: Detected 400915 kHz processor. > May 20 15:55:57 dhcp-53-79 kernel: Console: colour VGA+ 80x25 > May 20 15:55:57 dhcp-53-79 kernel: Calibrating delay loop... 799.54 > BogoMIPS May 20 15:55:57 dhcp-53-79 kernel: Memory: 62724k/65472k available > (1136k kernel code, 416k reserved, 1068k data, 128k init, 0k bigmem) May 20 > 15:55:57 dhcp-53-79 kernel: Dentry hash table entries: 8192 (order 4, 64k) > May 20 15:55:57 dhcp-53-79 kernel: Buffer cache hash table entries: 65536 > (order 6, 256k) May 20 15:55:57 dhcp-53-79 kernel: Page cache hash table > entries: 16384 (order 4, 64k) May 20 15:55:57 dhcp-53-79 kernel: VFS: > Diskquotas version dquot_6.4.0 initialized May 20 15:55:57 dhcp-53-79 > kernel: Intel machine check architecture supported. May 20 1
Re: [expert] A time problem with ps?...
>Could the machine have powered down or been suspended due to energy-saving >settings? > >Anyway what does /var/log/syslog have to say round about 16.45 and the >original boot-time? > >Good luck, >Harm Hi: Powering down would cause the machine to reboot, would it not? And that obviously did not occur as new terminal windows which I opened just after booting have been there all the time until shutdown (these windows are not automatically opened, I do this manually after boot). As for energy-saving, I have a regular PC, not a laptop, so I would guess this would not be involved? I do have a KDE screensaver active but I am certain this can be dismissed. Anyhow here is an excerpt from /var/log/syslog from boot time to shutdown time on May 20. I also include /etc/crontab and a listing of the /etc/cron* directories in case they are relevant. Reminder: I am running LM 7.2. To recap: booting was at 15:55, the command "ps -auxw" run at 16:31 gave all START column values (without exception) at around 15:55 (which is of course fine). However, the same command run at 19:50 showed all values had jumped to around 16:46. It seems the only things of interest around that time are rmmod commands run from cron. Why the system would want to remove modules every 10 minutes is beyond me and, I would guess, unrelated to the "glitches" in START times shown by "ps -auxw", but who knows... No more glitches were observed until shutdown around 21:21. This glitching is reproducible: I observed the same thing yesterday (May 21) [boot at 16:39 -- then "ps -auxw" at 20:42 shows all START values jumped to around 19:03]. INCIDENTALLY, and this may (?) be relevant to this "book-keeping" problem, while going over yesterday's logs, I noticed that the order of the boot log entries was not strictly chronological: there were many entries at 16:41 FOLLOWED by entries logged with a time of 16:39. ADDITIONAL NOTE: you may notice numerous "modprobe: Can't locate" lines (char-major, binfmt, sound-service, sound-slot ...) in the log file which do not seem to have unwanted consequences, however anybody feel free to tell me how these can be fixed! Thanks all for your time, Serge Pineault * * Here are parts of the /var/log/syslog file * May 20 15:55:56 dhcp-53-79 syslogd 1.4-0: restart. May 20 15:55:57 dhcp-53-79 syslog: syslogd startup succeeded May 20 15:55:57 dhcp-53-79 syslog: klogd startup succeeded May 20 15:55:57 dhcp-53-79 kernel: klogd 1.4-0, log source = /proc/kmsg started. May 20 15:55:57 dhcp-53-79 kernel: Loaded 7650 symbols from /boot/System.map-2.2.17-21mdk. May 20 15:55:57 dhcp-53-79 kernel: Symbols match kernel version 2.2.17. May 20 15:55:57 dhcp-53-79 kernel: Loaded 10 symbols from 2 modules. May 20 15:55:57 dhcp-53-79 kernel: Linux version 2.2.17-21mdk ([EMAIL PROTECTED]) (gcc version 2.95.3 19991030 (prerelease)) #1 Thu Oct 5 13:16:08 CEST 2000 May 20 15:55:57 dhcp-53-79 kernel: Detected 400915 kHz processor. May 20 15:55:57 dhcp-53-79 kernel: Console: colour VGA+ 80x25 May 20 15:55:57 dhcp-53-79 kernel: Calibrating delay loop... 799.54 BogoMIPS May 20 15:55:57 dhcp-53-79 kernel: Memory: 62724k/65472k available (1136k kernel code, 416k reserved, 1068k data, 128k init, 0k bigmem) May 20 15:55:57 dhcp-53-79 kernel: Dentry hash table entries: 8192 (order 4, 64k) May 20 15:55:57 dhcp-53-79 kernel: Buffer cache hash table entries: 65536 (order 6, 256k) May 20 15:55:57 dhcp-53-79 kernel: Page cache hash table entries: 16384 (order 4, 64k) May 20 15:55:57 dhcp-53-79 kernel: VFS: Diskquotas version dquot_6.4.0 initialized May 20 15:55:57 dhcp-53-79 kernel: Intel machine check architecture supported. May 20 15:55:57 dhcp-53-79 kernel: Intel machine check reporting enabled on CPU#0. May 20 15:55:57 dhcp-53-79 kernel: CPU: Intel Celeron (Mendocino) stepping 05 May 20 15:55:57 dhcp-53-79 kernel: Checking 386/387 coupling... OK, FPU using exception 16 error reporting. May 20 15:55:57 dhcp-53-79 kernel: Checking 'hlt' instruction... OK. May 20 15:55:57 dhcp-53-79 kernel: POSIX conformance testing by UNIFIX May 20 15:55:57 dhcp-53-79 kernel: mtrr: v1.35a (19990819) Richard Gooch ([EMAIL PROTECTED]) May 20 15:55:57 dhcp-53-79 kernel: PCI: PCI BIOS revision 2.10 entry at 0xf0720, last bus=1 May 20 15:55:57 dhcp-53-79 kernel: PCI: Using configuration type 1 May 20 15:55:57 dhcp-53-79 kernel: PCI: Probing PCI hardware May 20 15:55:57 dhcp-53-79 kernel: Linux NET4.0 for Linux 2.2 May 20 15:55:57 dhcp-53-79 kernel: Based upon Swansea University Computer Society NET3.039 May 20 15:55:57 dhcp-53-79 kernel: NET4: Unix domain sockets 1.0 for Linux NET4.0. May 20 15:55:57 dhcp-53-79 kernel: NET4: Linux TCP/IP 1.0 for NET4.0 May 20 15:55:57 dhcp-53-79 kernel: IP Protocols: ICMP, UDP, TCP, IGMP May 20 15:55:57 dhcp-53-79 kernel: TCP: Hash tables configured (ehash 65536 bhash 65536) May 20 15:55:57 dhcp-53-79 kernel: Initializing RT netlink socket May 20 15:55:57 dhcp-53-79 kernel: Starting kswapd v 1.5 May 20 15:55:57 dh
Re: [expert] A time problem with ps?...
[EMAIL PROTECTED] wrote: > "ps -auxw" > By the way, this is not a question of confusing START time with > TIME running (see below again). Sorry, my output from ps -auxw looks different than yours. On my Mandrake 8.1 it has columns for a (start) date, and a (total run) time, but they are side by side so it is easy to be confused and believe they are a start date and time. Likewise on my Mandrake 7.2 installation. (Aside: I wonder why the difference? -- You seem to have a start *time* instead of date, and the (total run) time that I have.) Anyway, the output from your ps -auxw truly is confusing, and I can't offer an explanation (other than the possibilities others have mentioned, like a restart that you aren't aware of or something equally bizarre or unlikely). >(1) Before I sent the initial message, I checked the archives on the newbie >and expert lists and could not find any related item (mind you, it is not >obvious >to do a search with "ps" or "startup" as keywords...). I also read what >I thought were the relevant manual pages (but maybe I missed some...). > >(2) I sent this message to the expert list, rather than the newbie, because I >genuinely thought the answer was not obvious (I could of course be very >wrong! I might add hopefully...). > >(3) Despite the fact I felt some "guilt" at starting this "newbie versus expert" >thread, there is one thing that sticks to my mind: it is that people >expressing >their opinions on this list do it in a frank and polite way. In that respect, >Randy Kramer's PS to my initial message deserves mention! Thanks for all of the above, and *thanks to all who provided comments* on the "newbie vs. expert" thread. I truly was trying to understand the thinking process of those who might post on one vs. the other, especially when the results were contrary to what I think I would have done. (Understanding your problem more correctly now, I think I would have posted it on the expert list.) And, as others have said (variously): * if it ain't broke, don't fix it * there is not a lot of noise (of this nature) on the expert or beginner's list, so an occasional newbie question on the expert list is not a big (or vice versa) * the more annoying problem is cross posts (that, AFAICT, don't happen that often either) * these lists are among the most useful and effective I've found, which is a credit to the people on the lists -- polite, tolerant, helpful, knowledgable, etc. regards, Randy Kramer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] A time problem with ps?...
On Tuesday 21 May 2002 18:41, you wrote: > > ** > > I should add that, when I shut the machine down around 21:00, a > final "ps -auxw" showed no changes to the START entries > compared to the ones at 19:50. I David, Could the machine have powered down or been suspended due to energy-saving settings? Anyway what does /var/log/syslog have to say round about 16.45 and the original boot-time? Good luck, Harm Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] A time problem with ps?...
Hi all: I apologize if it seems like I am trying to revive the "newbie versus expert" thread. This is not the case. I am neither a newbie nor an expert. I am just puzzled by the original problem which I submitted last week, which is that the startup time of ALL tasks started at boot time (including the mother of them all "init") appears to be changing with time as shown by the "ps -auxw" command [examples below] without the machine having been rebooted in between of course. By the way, this is not a question of confusing START time with TIME running (see below again). This looks like (possibly?...?...) a cron problem, but I am at a loss to find out where the actual problem lies. This is either a trivial question, in which case this should have been posted to the newbie list [and, if that turns out to be the case, I pledge this list I will repeatedly hit my head against a suitable wall, a suitable number of times, to be determined by a suitable number of votes from this list...] or a question worth addressing, even if it may have no practical consequences. But then, what is the point of having tools to monitor processes if you cannot thrust the one single information about when a given process actually started? As I mentioned before, I was hacked once and found out that "ps" is one of the usual commands which is first replaced. I do not think this is the case here (I ran an md5sum check on it) but in doubt... Thanks for your time. Serge Pineault P.S. "Explanatory" notes: (1) Before I sent the initial message, I checked the archives on the newbie and expert lists and could not find any related item (mind you, it is not obvious to do a search with "ps" or "startup" as keywords...). I also read what I thought were the relevant manual pages (but maybe I missed some...). (2) I sent this message to the expert list, rather than the newbie, because I genuinely thought the answer was not obvious (I could of course be very wrong! I might add hopefully...). (3) Despite the fact I felt some "guilt" at starting this "newbie versus expert" thread, there is one thing that sticks to my mind: it is that people expressing their opinions on this list do it in a frank and polite way. In that respect, Randy Kramer's PS to my initial message deserves mention! And now for something completely different (I hope there are some Monty Python fans on this list)... Here is the output of two "ps -auxw" commands typed at 16:31 and 19:50 on the same day. Of course the machine had not been rebooted in between. should add that my PC is not permanently ON: I only turn it on when I (or somebody in my family) need to use it. I also have the appropriate sections of the /var/log/messages and crontab files and a listing of the /etc/cron* directories which I can post later if deemed necessary. * Output of "ps -auxw" done at 16:31 -- Booting was at 15:55 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.7 1064 468 ?S15:55 0:04 init [5] root 2 0.0 0.0 00 ?SW 15:55 0:00 [kflushd] root 3 0.0 0.0 00 ?SW 15:55 0:00 [kupdate] root 4 0.0 0.0 00 ?SW 15:55 0:00 [kswapd] root 5 0.0 0.0 00 ?SW< 15:55 0:00 [mdrecoveryd] root 329 0.0 0.6 1048 392 ?S15:55 0:00 /sbin/dhcpcd -H eth0 root 370 0.0 1.1 1400 764 ?S15:55 0:00 syslogd -m 0 root 380 0.0 1.1 1388 764 ?S15:55 0:00 klogd -k /boot/System.map-2.2.17-21mdk root 393 0.0 0.9 1280 632 ?S15:55 0:00 crond root 406 0.0 0.6 1056 432 ?S15:55 0:00 inetd root 419 0.1 6.8 6516 ?S15:55 0:02 cupsd root 463 0.0 0.6 1088 440 ?S15:55 0:00 gpm -t ps/2 xfs478 0.0 5.0 4244 3304 ?S15:56 0:01 xfs -port -1 -daemon root 492 0.0 0.6 1032 404 tty1 S15:56 0:00 /sbin/mingetty tty1 root 493 0.0 0.6 1032 404 tty2 S15:56 0:00 /sbin/mingetty tty2 root 494 0.0 0.6 1032 404 tty3 S15:56 0:00 /sbin/mingetty tty3 root 495 0.0 0.6 1032 404 tty4 S15:56 0:00 /sbin/mingetty tty4 root 496 0.0 0.6 1032 404 tty5 S15:56 0:00 /sbin/mingetty tty5 root 497 0.0 0.6 1032 404 tty6 S15:56 0:00 /sbin/mingetty tty6 root 498 0.1 5.5 12152 3600 ?S15:56 0:03 kdm -nodaemon root 508 0.7 8.3 10892 5452 ?R15:56 0:16 /etc/X11/X -auth /etc/X11/xdm/authdir/A:0-ljEXI5 root 547 0.0 10.6 13420 6948 ?S15:56 0:00 -:0 lp 619 0.0 1.0 2212 652 ?S15:56 0:00 hp 119 bozo (stdin) 1 //var/spool/cups/d00119-001 root 620 0.0 0.6 1444 420 ?S