[ale] Nobody's busy -- Have I been hacked?

Mon Sep 4 22:40:00 EDT 2000

Hello -

I am trying to understand something my system did, and would like to know
if it means I've been hacked. 

I'm sorry that I don't have a very coherent presentation here.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

System Context:
RH4.2 (ELF/libc.so.5) updated by now to Linux-2.0.33
dual-boot with Win95A (installed from MS bootable diskette distribution)

Sequence of events:
1. Clock setting is frequenty corrupt -- I have been blaming Win95, as I
   noticed the problem since I installed the Win95 Y2K patch. The clock is
   typically set a year or so out of date - in particular, when I first
   saw this, it had been set to Jan 1 1999.

2. I connect to my ISP and reset my clock with 'ntpdate', thus:
      #! /bin/sh
      /usr/local/bin/ntpdate <ntp-server> ; clock -w ; date

3. After a short time (c. 30 sec), I start to see continuing disk access.

4. When I look (with 'ps-aux') to see what's doing the disk activity, I
find:

(apparently normal user activity - me)
[...]
nobody     581  0.0  0.8  1124   572  ?  S   21:22   0:00 su nobody -c /usr/bin/updatedb --output=/tmp/locatedb.578 --localpaths='/' --prunepaths='/tmp /var/tmp /usr/
nobody     582  0.0  0.8  1184   524  ?  S   21:22   0:00 sh -c /usr/bin/updatedb --output=/tmp/locatedb.578 --localpaths='/' --prunepaths='/tmp /var/tmp /usr/tmp /af
nobody     583  0.0  0.8  1200   568  ?  S   21:22   0:00 sh /usr/bin/updatedb --output=/tmp/locatedb.578 --localpaths=/ --prunepaths=/tmp /var/tmp /usr/tmp /afs --ne
nobody     611  0.0  0.8  1200   568  ?  S   21:22   0:00 sh /usr/bin/updatedb --output=/tmp/locatedb.578 --localpaths=/ --prunepaths=/tmp /var/tmp /usr/tmp /afs --ne
nobody     612 17.8  0.6   972   424  ?  D   21:22   0:19 find / ( -fstype nfs -o -fstype NFS -o -type d -regex \(^/tmp$\)\|\(^/var/tmp$\)\|\(^/usr/tmp$\)\|\(^/afs$\)
nobody     613  0.2  2.0  1968  1332  ?  S   21:22   0:00 sort -f 
nobody     614  0.0  0.3   868   240  ?  S   21:22   0:00 frcode 
(apparently normal 'root' activity)
[...]
root       526  0.0  0.6   904   412  ?  S   21:22   0:00 CROND 
root       529  0.0  0.6   904   412  ?  S   21:22   0:00 CROND 
root       534  0.0  0.8  1192   548  ?  S   21:22   0:00 bash /usr/bin/run-parts /etc/cron.daily 
root       537  0.0  0.8  1192   548  ?  S   21:22   0:00 bash /usr/bin/run-parts /etc/cron.weekly 
root       539  0.0  0.8  1184   528  ?  S   21:22   0:00 bash /etc/cron.weekly/makewhatis.cron 
root       540  0.2  0.9  1252   616  ?  S   21:22   0:00 sh /usr/sbin/makewhatis -w 
root       578  0.0  0.8  1184   528  ?  S   21:22   0:00 bash /etc/cron.daily/updatedb.cron 
[...]
(Tasks I started)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I checked the 'nobody' user:

/etc/passwd has:
nobody:*:99:99:Nobody:/:

/etc/group has:
nobody::99:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I killed the tasks and a disabled the 'nobody' login, since I didn't know
what was up.

Who is 'Nobody' and why is s/he so busy here?

Thanks for any insight.

Regards -
 John Mills

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.