View Full Version : Who is user nobody????
A. Jorge Garcia
08-18-2005, 11:58 PM
Recently I noticed my hdd running wild when I wasn't really doing anything drive intensive. So I fired up top in a shell and found a user called "nobody" running "find." Who the heck is that? What the heck are we finding??
I'm running knoppix-installered to hdd and created no such user. Have I been hacked??? I panicked, opening a root sheel, killed that process and userdeled nobody. Was that a good thing, or did I over react? I never noticed user nobody in top before....
BTW, if I was hacked, did I do the right thing? My PC was running really slowly before I removed that process and user. Is there anything else I should do in this instance or to protect my PC against future attacks?
TIA,
AJG
UnderScore
08-19-2005, 02:43 AM
"Securing Debian HOWTO Chapter 8 Frequently asked Questions" http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ch8.en.html
nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.
BAsed on my general knowledge & backed by google searches (http://www.google.com/search?q=%2Fetc%2Fpasswd+nobody), the nobody user is only used for services/daemons that do not need to interact with files.
It is certainly possible that your computer has been compromised. You may want to take a Knoppix CD and use chkrootkit to see if there has been a break-in.
Dave_Bechtel
08-19-2005, 08:27 PM
--You overreacted. :? But I understand why, as you thought your system was being attacked.
--In this case, ' ps ax ' would have helped more than top. Cron runs "updatedb" which runs "find" as user nobody. You really should add nobody back in, as it is the default non-privileged user for daemons and such. (If you have a backup of /etc/passwd and /etc/shadow, you should restore them.)
From /etc/passwd:
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Recently I noticed my hdd running wild when I wasn't really doing anything drive intensive. So I fired up top in a shell and found a user called "nobody" running "find." Who the heck is that? What the heck are we finding??
I'm running knoppix-installered to hdd and created no such user. Have I been hacked??? I panicked, opening a root sheel, killed that process and userdeled nobody. Was that a good thing, or did I over react? I never noticed user nobody in top before....
BTW, if I was hacked, did I do the right thing? My PC was running really slowly before I removed that process and user. Is there anything else I should do in this instance or to protect my PC against future attacks?
TIA,
AJG
A. Jorge Garcia
08-19-2005, 09:35 PM
Oh, OK, I just never saw this happen before! Thanx for the info. BTW, chkrootkit shows no problems.
Thanx,
AJG
Powered by vBulletin® Version 4.2.2 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.