HPE Community
Operating System - HP-UX
1754418 Members
2713 Online
108813 Solutions
New Discussion юеВ

Unwanted processes belongs to UID 59999

 
Bambang Lestari
Occasional Contributor

тАО12-27-2001 08:07 PM

тАО12-27-2001 08:07 PM

Unwanted processes belongs to UID 59999

Hi All,

Recently in our development servers, HPUX 11i, there has been something fishy going on. There are a few times when I saw multiple duplicated processes (java processes) running under the userid 59999. Any idea who this user is? And how to get rid of this UID?

FYI, there is no such UID in our server setting/configuration.

Best Regards,
Bambang
0 Kudos
Reply
6 REPLIES 6
Wodisch
Honored Contributor

тАО12-27-2001 08:42 PM

тАО12-27-2001 08:42 PM

Re: Unwanted processes belongs to UID 59999

Hello Bambang,

try a "find" on that user-id:

find / -user 59999 -exec ls -abdl {} ";"

Could be there are SUID codefiles owned by that user-id!

HTH,
Wodisch
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО12-27-2001 08:52 PM

тАО12-27-2001 08:52 PM

Re: Unwanted processes belongs to UID 59999

Hi,

Execute:

# grep 59999 /etc/passwd

A number of third-party software uses 59999 as the uid of their application logon.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Bambang Lestari
Occasional Contributor

тАО12-27-2001 08:53 PM

тАО12-27-2001 08:53 PM

Re: Unwanted processes belongs to UID 59999

Hi Wodisch,

I tried the command as suggested, but found nothing. No such files.

Thanks,
Bambang
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО12-27-2001 08:57 PM

тАО12-27-2001 08:57 PM

Re: Unwanted processes belongs to UID 59999

Hi,

Try executing:

# find / -uid 59999 -exec ll {} \;

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Darrell Allen
Honored Contributor

тАО12-28-2001 06:28 AM

тАО12-28-2001 06:28 AM

Re: Unwanted processes belongs to UID 59999

Hi Bambang,

The following little C code shows how a program can change uid to one that isn't even on the system.

#include

main ()

{

char *proc = "/usr/bin/id";

setuid(59999);
system(&proc[0]);

} /* end of program*/


If root runs the program (or suid bit is on the executable) the process will change uid to 59999 even if that doesn't exist on the system. The program doesn't have to be owned by 59999 so find would not help. And if you don't have the source code for it, grep nor strings will help.

I'm sorry, but I'm not proficient enough in programming to help further. HOpefully someone else will take it from here.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Mark Greene_1
Honored Contributor

тАО12-28-2001 06:52 AM

тАО12-28-2001 06:52 AM

Re: Unwanted processes belongs to UID 59999

periodically run this:

UNIX95= ps -efH

and you'll be able to see the parent process(es).

--
mark
the future will be a lot like now, only later
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.