05-14-2002
1,626,
15
Join Date: Jul 2001
Last Activity: 16 June 2011, 4:50 PM EDT
Location: Portland, OR, USA
Posts: 1,626
Thanks Given: 2
Thanked 15 Times in 13 Posts
I've never seen that before...
I did wonder if an intruder used a crappy script that tried to execute something that wasn't there (perl, ksh, python, etc).
Check all user's crontabs, look for new users in your passwd file (also check the shadow file for system accounts that all of the sudden have passwords).
Does it happen at any given time? Are you running any services (ftp, telnet, ssh, etc)?
Can you find anything in /var/log/* ?
Right after it happens, do an "ls -ltr /var/log/messages" to see if (or which) logs were written to.
And does it happen at the console when you're logged in, when the login banner is up, or both?