Date: Fri May 29 1992 - 21:57:32 CDT

SUMMARY Re: Odd login process - Round 2

My mail box overfloweth!! I tried to send out a quick summary note
this morning to stem the tide of responses, but they flow in at an
astounding rate even still. As Carl Sagan might say - "billyuns and
billyuns" of responses (at last count I had over 50) have all flagged
the same culprit - a noisy tty line with an unterminated cable
attached and getty enabled.

My original posting included:

>I have a process that is driving me crazy since I can't seem to find
>anything out about it. Using ps auxw I get the following:
>root 27208 0.0 1.9 36 284 a S < 07:54 0:00 login -p mk}owo{o?oowmo;?
>This process will stick around for about 30 seconds or so and then
>disappears and another copy will show up with a new pid. I have tried
>killing it as root, but another copy just shows right back up.

As I mentioned in the earlier response and to at least the first 30 or
so folks who responded I had been using an old vt52 terminal as a
console on ttya and had switched back to the sun monitor/keyboard. I
had not disconnected the terminal line or disabled the entry in
/etc/ttytab. The cable in question ran across a room taped into a
bundle of wires including a 30amp power cord and several other
net/async communications cables. I disconnected the ttya plug,
disabled the /etc/ttytab entry, and did a "kill -1 1" and the problem
process was gone once and for all.

I am amazed at how many folks had experience with seeing the
process(es) - most respondents had seen it one way or another.

I must admit that being paranoid and thinking that it might be some
sort of "cracker" effort did make me tighten up security on my
machines - I had ignored such a threat in the past. I do feel a lot
more comfortable now :-)

Many thanks to everyone who answered my questions (far too many to
list!). I learned a lot about monitoring my machines from the

Al Lichty
Department of Anthropology
University of Utah

