sambit wrote:
Hi my system is connected to network by DSL i do not know some time i found lot of activity in my system and when i checked the system each time i found this process
sambit@linux:~ > ps -ef | grep find nobody 6612 6610 0 00:15 ? 00:00:00 su nobody -c /usr/bin/find / \( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex '\(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)' \) -prune -o -print root 6613 6590 0 00:15 ? 00:00:00 /usr/lib/find/frcode nobody 6614 6612 7 00:15 ? 00:00:09 /usr/bin/find / ( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex \(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\) ) -prune -o -pri
that seems to be the updatedb for locate, it's started via cron every night. maybe this hangs around because of smbshares wich are disconnected or uncleanly umounted, also nfs maybe...
i checked my DSL Router log files also
i found some information like this
01/23/2002 08:20:52 Unrecognized access from 211.219.231.67:2016 to TCP port 27374 01/23/2002 08:44:12 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 08:44:14 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 11:07:09 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:12 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:18 Unrecognized access from 61.79.232.158:3119 to TCP port 27374
thats 'normal' subnetscanning for subseven (windows trojan). you can saftely ignore that if you don't have a windows box directly connected to the internet (or forwarded that port to windows ;) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.