suspicious lpd started

To: debian-security@lists.debian.org
Subject: suspicious lpd started
From: bill07@shaw.ca
Date: Tue, 11 Feb 2003 11:57:00 -0600
Message-id: <[🔎] 200302111157.00557.bill07@shaw.ca>

Hi,

3 days after starting my potato system lpd started to run.
system started Feb 6
ps output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 6833  0.0  1.3  1052  412 ? S    Feb09   0:00 /usr/sbin/lpd
root 6836  0.0  1.5  1076  468 ? S    Feb09   0:00 /usr/sbin/lpd
or 
root 6833  0.0 1.3 1052  412 ?  S Feb09   0:00 /usr/sbin/lpd
root 6836  0.0  1.5 1076 468 ?  S Feb09   0:00  \_ /usr/sbin/lpd


lpd is not in startup or any cron job.  daemon.log is clean with no 
evidence of it starting.  no apparent rootkits, connections, and 
last/lastlog is clean.  How can this happen? Any ideas? I have bind 
running on port 53 (everything else is filtered)

thanks

Reply to:

Follow-Ups:
- Re: suspicious lpd started
  - From: Bill <bill07@shaw.ca>
- Re: suspicious lpd started
  - From: "Jeffrey L. Taylor" <jeff@austinblues.dyndns.org>

Prev by Date: [francois@tourde.org (François TOURDE)] Re: securing pop3
Next by Date: Re: suspicious lpd started
Previous by thread: [francois@tourde.org (François TOURDE)] Re: securing pop3
Next by thread: Re: suspicious lpd started
Index(es):
- Date
- Thread