ANSI sequences appeared on ttyC0. init is running getty there, which exec'd login, which is running login_passwd to perform a login.
Riccardo Giuntoli <tag...@gmail.com> wrote: > Hi there I've got a strange process that spawn from init in the environment > above. No network traffic. Look ahead: > > |-+= 51452 root login -p -- \^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7 > | \--- 73422 root passwd -v login=yes -s login -- > \^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7 default (login_passwd) > > They depend directly from init. > > taglio@cyberanarkhia:/sbin$ ls -al init > > > > -r-xr-xr-x 1 root bin 345348 Nov 25 19:39 init* > taglio@cyberanarkhia:/sbin$ > > taglio@cyberanarkhia:/sbin$ md5 init > > > > MD5 (init) = 0fbb14ece72860443abe2c2ddb2ae96a > taglio@cyberanarkhia:/sbin$ > > [ using 1142476 bytes of bsd ELF symbol table ] > console out [NVDA,Display-B] console in [keyboard], using USB > using parent NVDA,Parent:: memaddr 98000000, size 8000000 : consaddr > 98004000 : ioaddr 91000000, size 1000000: width 1280 linebytes 1536 height > 1024 depth 8 > Copyright (c) 1982, 1986, 1989, 1991, 1993 > The Regents of the University of California. All rights reserved. > Copyright (c) 1995-2020 OpenBSD. All rights reserved. > https://www.OpenBSD.org > > OpenBSD 6.7-stable (GENERIC.MP) #1: Mon Dec 21 08:42:13 CET 2020 > tag...@cyberanarkhia.telecomlobby.net:/sys/arch/macppc/compile/ > GENERIC.MP > > root@cyberanarkhia:/usr/libexec/auth# ls -al > total 388 > drwxr-x--- 2 root auth 512 Nov 25 19:39 ./ > drwxr-xr-x 6 root wheel 1024 Dec 22 18:54 ../ > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_activ* > -r-sr-xr-x 1 root auth 9340 Nov 25 19:39 login_chpass* > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_crypto* > -r-sr-xr-x 1 root auth 17688 Nov 25 19:39 login_lchpass* > -r-sr-xr-x 1 root auth 9340 Nov 25 19:39 login_passwd* > -r-xr-sr-x 1 root _radius 17628 Nov 25 19:39 login_radius* > -r-xr-xr-x 1 root auth 9340 Nov 25 19:39 login_reject* > -r-xr-sr-x 1 root auth 13480 Nov 25 19:39 login_skey* > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_snk* > -r-xr-sr-x 4 root _token 21900 Nov 25 19:39 login_token* > -r-xr-sr-x 1 root auth 21628 Nov 25 19:39 login_yubikey* > root@cyberanarkhia:/usr/libexec/auth# > > root@cyberanarkhia:/usr/libexec/auth# md5 login_passwd > > > > MD5 (login_passwd) = 17ed9f36a170b5614de566f71768e753 > root@cyberanarkhia:/usr/libexec/auth# > > root login 39663 text /usr 52236 -r-xr-xr-x r 25824 > root login 39663 wd / 2 drwxr-xr-x r 1024 > root login 39663 0 / 741 crw------- rw ttyC0 > root login 39663 1 / 741 crw------- rw ttyC0 > root login 39663 2 / 741 crw------- rw ttyC0 > root login 39663 3* unix stream 0x325e9a08 <-> 0x325e90a8 > root login_passwd 50752 text /usr 78065 -r-sr-xr-x r > 9340 > root login_passwd 50752 wd /home 4595712 drwxr-xr-x r > 1536 > root login_passwd 50752 0 / 564 crw--w---- rw > ttyp1 > root login_passwd 50752 1 / 564 crw--w---- rw > ttyp1 > root login_passwd 50752 2 / 564 crw--w---- rw > ttyp1 > root login_passwd 50752 3* unix stream 0x325e9468 <-> 0x325e9968 > root login_passwd 50752 4 / 1090 crw-rw-rw- rwp > tty > > Any suggestions? > > Nice regards, > > RG > -- > Name: Riccardo Giuntoli > Email: tag...@gmail.com > Location: sant Pere de Ribes, BCN, Spain > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net
