hi there. just a suggestion :
your initsys-process seems to have come up together with the other ones ( 01:05 ). so maybe you can find an initscript somewhere that starts it ? as pid is higher than the one of reserfsd, it should be startet somewhere after it.
what does pstree say ?
does this help ?
-----Ursprüngliche Nachricht-----
Von: Robert Schelander [mailto:rschelander@aon.at]
Gesendet: Montag, 2. Juni 2003 02:57
An: suse-security(a)suse.com
Betreff: [suse-security] initsys prozess / rootkit? trojan?
Does someone know what this 'initsys' process is good for? I've never seen
in on any of my systems before. Could it be part of a rootkit? I found the
binary in /usr/bin/initsys
thanks in advance
Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5]
root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN 01:05 0:00
[ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated]
root 10 0.0 0.0 0 0 ? SW< 01:05 0:00
[mdrecoveryd]
root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt]
root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd]
root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys
root 256 0.0 0.5 1840 640 ? S 01:05 0:00
/usr/sbin/apmd
root 410 0.0 0.5 1408 640 ? S 01:05 0:00
/sbin/syslogd
root 413 0.0 0.8 1904 1116 ? S 01:05 0:00
/sbin/klogd -c 1
root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd]
bin 693 0.0 0.3 1344 404 ? S 01:05 0:00
/sbin/portmap
.....
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help(a)suse.com
Security-related bug reports go to security(a)suse.de, not here