At 09:56 PM 10/17/01 -0400, you wrote:
"Brian Rahill" <cobalt@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > I realize that CGI's run as the user but before the past few days I've only > seen one user via top. It's just in the past few days that I've seen > this. Coincidence? Are you monitoring the system processes more now? Are your users running more CGIs now and/or getting more traffic on their CGI web pages?
Thanks for the response Steve. You are always right on the money. Perhaps this is a coincidence but I don't think so. While CGI's run with the permissions of the username in a cgi wrapped environment I don't believe that they show up as a user via the "top" command. I've got some cgi's that take about 20 seconds to completely execute and never show a user via "top".
I don't see any other regular users. Nothing unusual. If you notice something unusual perhaps you can look at the output of "ps aux" (or similar flags while running ps) to get more detail, but until another regular user appears I wouldn't be concerned. And I'd only be concerned after I knew what they were doing. If the command showed as "imapd" for example then they're just accessing their email through IMAP. Perhaps you gave some of that detail earlier, but I don't recall.
Yes I've done a "ps aux" and have seen nothing unusual. Also, I'm 90% sure that IMAP users don't show up as users via "top"
Only thing I can think of is that I've got some chilisoft ASP pages calling a MySQL database. Perhaps that is causing the extra user.
I've basically quit worrying about it. It did run through my mind that a sloppy hacker replaced the ps and w binaries to hide traces of him/herself but forgot top. Probably pretty unlikely.
Guess maybe I can start sleeping again....Once it hits about 5am here I'm going to reboot the server and see if the user comes back immediately.
Brian