[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Two Users via Top??
- Subject: Re: [cobalt-security] Two Users via Top??
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Wed, 17 Oct 2001 21:56:47 -0400
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"Brian Rahill" <cobalt@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> I realize that CGI's run as the user but before the past few days I've
only
> seen one user via top. It's just in the past few days that I've seen
> this.
Coincidence? Are you monitoring the system processes more now? Are your
users running more CGIs now and/or getting more traffic on their CGI web
pages?
> It really freaked me at first...I immediately thought "hack in
> progress..." But it been a few days and all VISIBLE signs are that
> everything is ok.
I don't find the fact that other users appeared in the output of top to be
unusual. YMMV.
> Here's my top:
<snip>
> PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME
COMMAND
> 22133 admin 6 0 900 900 680 R 0 2.3 0.3 0:01 top
> 4604 httpd 0 0 13232 12M 12488 S 0 0.1 5.1 0:07 httpd
> 5417 httpd 0 0 13224 12M 12468 S 0 0.1 5.1 0:07 httpd
> 22022 root 0 0 1456 1448 1140 S 0 0.1 0.5 0:00 sshd
> 777 mysql 0 0 2224 2224 1616 S 0 0.0 0.8 0:00 mysqld
>
> Any thoughts?
I don't see any other regular users. Nothing unusual. If you notice
something unusual perhaps you can look at the output of "ps aux" (or similar
flags while running ps) to get more detail, but until another regular user
appears I wouldn't be concerned. And I'd only be concerned after I knew
what they were doing. If the command showed as "imapd" for example then
they're just accessing their email through IMAP. Perhaps you gave some of
that detail earlier, but I don't recall.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/