Recently I noticed my hdd running wild when I wasn't really doing anything drive intensive. So I fired up top in a shell and found a user called "nobody" running "find." Who the heck is that? What the heck are we finding??

I'm running knoppix-installered to hdd and created no such user. Have I been hacked??? I panicked, opening a root sheel, killed that process and userdeled nobody. Was that a good thing, or did I over react? I never noticed user nobody in top before....

BTW, if I was hacked, did I do the right thing? My PC was running really slowly before I removed that process and user. Is there anything else I should do in this instance or to protect my PC against future attacks?

TIA,
AJG

"Securing Debian HOWTO Chapter 8 Frequently asked Questions" http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ch8.en.html
nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

BAsed on my general knowledge & backed by google searches (http://www.google.com/search?q=%2Fetc%2Fpasswd+nobody), the nobody user is only used for services/daemons that do not need to interact with files.

It is certainly possible that your computer has been compromised. You may want to take a Knoppix CD and use chkrootkit to see if there has been a break-in.

--You overreacted. :? But I understand why, as you thought your system was being attacked.

--In this case, ' ps ax ' would have helped more than top. Cron runs "updatedb" which runs "find" as user nobody. You really should add nobody back in, as it is the default non-privileged user for daemons and such. (If you have a backup of /etc/passwd and /etc/shadow, you should restore them.)

From /etc/passwd:


nobody:x:65534:65534:nobody:/nonexistent:/bin/sh



Recently I noticed my hdd running wild when I wasn't really doing anything drive intensive. So I fired up top in a shell and found a user called "nobody" running "find." Who the heck is that? What the heck are we finding??

I'm running knoppix-installered to hdd and created no such user. Have I been hacked??? I panicked, opening a root sheel, killed that process and userdeled nobody. Was that a good thing, or did I over react? I never noticed user nobody in top before....

BTW, if I was hacked, did I do the right thing? My PC was running really slowly before I removed that process and user. Is there anything else I should do in this instance or to protect my PC against future attacks?

TIA,
AJG

Oh, OK, I just never saw this happen before! Thanx for the info. BTW, chkrootkit shows no problems.

Thanx,
AJG