Re: suspicious lpd started

To: "Beach, Ken" <kbeach@ldrind.com>
Cc: debian-security@lists.debian.org
Subject: Re: suspicious lpd started
From: Bill <bill07@shaw.ca>
Date: Tue, 11 Feb 2003 14:39:50 -0600
Message-id: <[🔎] 200302111439.50751.bill07@shaw.ca>
In-reply-to: <002a01c2d208$63ae3dd0$0c3922c7@ENTERPRISE.COM>
References: <002a01c2d208$63ae3dd0$0c3922c7@ENTERPRISE.COM>

On February 11, 2003 02:01 pm, Beach, Ken wrote:
> From: Bill [mailto:bill07@shaw.ca]
>
> > I just want to add lpd is not listening on any port according to
> > lsof or netstat
> >
> > On February 11, 2003 11:57 am, bill07@shaw.ca wrote:
> > > Hi,
> > >
> > > 3 days after starting my potato system lpd started to run.
> > > system started Feb 6
> > > ps output:
> > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> > > root 6833  0.0  1.3  1052  412 ? S    Feb09   0:00
> > > /usr/sbin/lpd root 6836  0.0  1.5  1076  468 ? S    Feb09  
> > > 0:00 /usr/sbin/lpd or
> > > root 6833  0.0 1.3 1052  412 ?  S Feb09   0:00 /usr/sbin/lpd
> > > root 6836  0.0  1.5 1076 468 ?  S Feb09   0:00  \_
> > > /usr/sbin/lpd
> > >
> > >
> > > lpd is not in startup or any cron job.  daemon.log is clean
> > > with no evidence of it starting.  no apparent rootkits,
> > > connections, and last/lastlog is clean.  How can this happen?
> > > Any ideas? I have bind running on port 53 (everything else is
> > > filtered)
> > >
> > > thanks
>
> I'm sure you've already checked it, because you said it's not any
> cron job, but by default lpr is stopped and restarted during log
> rotation. The default debian install puts an ldr in cron.weekly.
>
> Worth a thought anyway...
>
> Cheers,
> Ken

Thank you Ken,
You were right! I overlooked that lpr file.  Sorry for the paranoia.

Reply to:

Prev by Date: Re: suspicious lpd started
Next by Date: VPN e Win32 client info
Previous by thread: Re: suspicious lpd started
Next by thread: VPN e Win32 client info
Index(es):
- Date
- Thread