[K12OSN] Re: Help: System intrusion through ssh and a weak password
Christopher K. Johnson
ckjohnson at gwi.net
Wed May 9 20:15:26 UTC 2007
Tom Astle wrote:
> A user without an entry in /etc/passwd perhaps?
>
> Jim Christiansen wrote:
>> Any Idea what or WHO '68' is??
>>
>>
>> avahi 2854 0.0 0.0 23088 332 ? Ss May08 0:00
>> avahi-daemon: chroot helper
>> 68 2865 0.0 0.2 27172 4232 ? Ss May08 0:01 hald
>> root 2866 0.0 0.0 17384 928 ? S May08 0:00
>> hald-runner
>> 68 2872 0.0 0.0 12268 804 ? S May08 0:00
>> hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
>> 68 2876 0.0 0.0 12264 796 ? S May08 0:00
>> hald-addon-keyboard: listening on /dev/input/event1
>> root 2888 0.0 0.0 10172 636 ? S May08 0:00
>> hald-addon-storage: polling /dev/hda
>> root 2904 0.0 0.0 3764 388 ? Ss May08 0:00
>> /usr/sbin/ltspswapd -s /var/opt/ltsp/swapfiles/
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
grep 68 /etc/passwd
account is haldaemon, which I suspect being longer than 8 characters was
suppressed in that ps display in favor of haldeamon's uid.
It works the same on my fedora system.
Chris
--
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #804005699817957
More information about the K12OSN
mailing list