Re: suspicious lpd started

To: debian-security@lists.debian.org
Subject: Re: suspicious lpd started
From: "Jeffrey L. Taylor" <jeff@austinblues.dyndns.org>
Date: Tue, 11 Feb 2003 12:57:03 -0600
Message-id: <[🔎] 20030211185703.GC1999@pogo.bearhouse.lan>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200302111157.00557.bill07@shaw.ca>
References: <[🔎] 200302111157.00557.bill07@shaw.ca>

Quoting bill07@shaw.ca <bill07@shaw.ca>:
> Hi,
> 
> 3 days after starting my potato system lpd started to run.
> system started Feb 6
> ps output:
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 6833  0.0  1.3  1052  412 ? S    Feb09   0:00 /usr/sbin/lpd
> root 6836  0.0  1.5  1076  468 ? S    Feb09   0:00 /usr/sbin/lpd
> or 
> root 6833  0.0 1.3 1052  412 ?  S Feb09   0:00 /usr/sbin/lpd
> root 6836  0.0  1.5 1076 468 ?  S Feb09   0:00  \_ /usr/sbin/lpd

Notice the little slash widget here               ^

This indicates that the second instance was forked by the first (i.e.,
it is a child of the first).  Also the PIDs are very close, indicating
that they probably were started at about the same time.  A number of
daemons will fork, persisently fork, or pre-fork to allow multiple
simultaneous connections.  This is generally more robust (read easier
to get right) than handling multiple connections in one process.

The PID is not particularly low (less than 1-2 thousand).  This fits
in with your statement that lpd was not started at boot.

This all looks very normal.  Not to guarantee that your box has not
been cracked, but this isn't evidence of it.

Jeffrey

Reply to:

References:
- suspicious lpd started
  - From: bill07@shaw.ca

Prev by Date: Re: suspicious lpd started
Next by Date: Re: suspicious lpd started
Previous by thread: Re: suspicious lpd started
Next by thread: Re: suspicious lpd started
Index(es):
- Date
- Thread