On Fri, 2007-03-09 at 15:47 +0100, Jes Kasper Klittum wrote:
> What does these commands show:
>
> w
> last
> ps -auxww | grep pts
>
> /Jes
>
Sorry guys, been real busy since this morning and still multi-tasking.
The server is a backup, so not a priority, but would like to see for
sure. I'll try to run chrootkit tomorrow. Of course, this ftp access is
from me below....how can I possibly find the bomb that Ramon mentioned
before it goes off? Remote server.
[root@bq ~]# w
19:17:28 up 35 days, 9:59, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 ftp.webtent.org 19:17 0.00s 0.08s 0.00s w
[root@bq ~]# last
root pts/0 ftp.webtent.org Fri Mar 9 19:17 still logged in
root pts/0 ftp.webtent.org Fri Mar 9 09:15 - 11:24 (02:08)
root pts/0 ftp.webtent.org Fri Mar 9 08:16 - 08:31 (00:14)
root ttyS0 Fri Mar 9 08:08 - 13:19 (05:11)
root pts/0 aca25f24.ipt.aol Sun Feb 11 01:20 - 08:16 (26+06:56)
root pts/0 193.77.122.4 Thu Feb 8 20:30 - 01:20 (2+04:49)
root pts/0 ac908722.ipt.aol Mon Feb 5 23:19 - 20:30 (2+21:11)
root pts/0 ftp.webtent.org Sat Feb 3 09:54 - 10:33 (00:39)
root pts/0 ftp.webtent.org Fri Feb 2 13:48 - 16:10 (02:22)
root pts/0 ftp.webtent.org Fri Feb 2 12:48 - 13:26 (00:37)
root pts/1 ftp.webtent.org Fri Feb 2 11:21 - 13:22 (02:00)
root pts/0 ftp.webtent.org Fri Feb 2 09:19 - 11:42 (02:22)
reboot system boot 2.6.16 Fri Feb 2 09:17 (35+09:59)
root pts/1 ftp.webtent.org Fri Feb 2 09:14 - down (00:01)
root pts/0 ftp.webtent.org Fri Feb 2 09:12 - down (00:03)
root pts/0 ftp.webtent.org Fri Feb 2 09:12 - 09:12 (00:00)
root pts/0 ftp.webtent.org Fri Feb 2 09:06 - 09:12 (00:06)
root pts/0 ftp.webtent.org Thu Feb 1 18:03 - 18:21 (00:17)
wtmp begins Thu Feb 1 18:03:31 2007
[root@bq ~]# ps -auxww | grep pts
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
Segmentation fault
--
Robert