On Fri, Nov 16, 2001 at 01:55:00PM -0600, Chad C. Walstrom wrote: > On Fri, Nov 16, 2001 at 10:58:48AM -0600, Ursula A. Kallio wrote: > > Now you have me curious. Any reason why you would "PULL THE NETWORK AND > > THE POWER PLUGS!"? Please explain what you are reacting to. > > Florin is implying that the box was hacked. If you are in a production > environment working for a company, the best way to make sure that you > can make an insurance claim for computer hacking/espionage, you need to > preserve the machine at its current state. That means no flush to disk, > no further network connections, etc. This means pull the power and let > the machine crash. You then hire a data extraction and security company > to examine the data on disk w/diagnostic tools. I.e. rebooting the > computer with a ramdisk image and mounting the harddrives as read only. > > I'm going to do a google search on those process names and see if > anything turns up. Chances are that this isn't a big deal. If this > were a serious hack, you wouldn't see process names like P43r or other > 1337 speak. You would see something like sendmail, or sshd. Trojans, > etc. Thanks for all the various input. It's not commercial, and it's just my laptop. I have to look at some other machines and logs, but it seems to be most likely related to some cron jobs that the laptop in question isn't usually awake for at the time they're scheduled to run. If it was a hack, it was pretty good, because the only ports open on the fire wall are .80 (not the machine in question), .25 (also not this machine) and ssh (*still* not this machine.) everything else is MASQ'd. So if my server isn't hosed (and it isn't) odds of a hack seem pretty low. Thanks again. If something interesting turns up from the investigation, I'll pass it on. -- I used to like HP before computers, and once I even liked Compaq, but I liked DEC better than HP and Compaq put together.