[barbarian]

Is there a simple way in the terminal to determine all the users on a particular machine and the level of access they might have?

We're worried that someone has installed himself as a root user on one of our machines in a way that doesn't show up in the accounts control panel.

Also suspicious: when left idle machines hds will often spin up and if you run top in the terminal you see that a find process is running.

Disconnect from the internet and the machine stops it's activity.

[Moonray]

The command you're looking for is called who. It will show all users currently in the system (root users are shown as 'root' ). A good hacker would of course replace the 'who' on your machine with one that wouldn't show any unwanted intruders, so you might want to check (by comparing with a known good one) if yours unaltered and still in /usr/bin.

You might also want to start the NetInfo Manager and have a look at the users entries.

And it's a good time for a password change for everyone (but you knew that).

-

[SMacTech]

Originally posted by barbarian:


Disconnect from the internet and the machine stops it's activity.

Your computer can be checking for Software Updates or it could be synching the time to a time server. You might consider installing a program called Little Snitch, to see what process is trying to call home or whatever.
You didn't mention the type of internet connection you have. If you are on broadband, and do not have a router/switch, I would suggest you get one for an additional layer of protection that NAT will provide from hackers. Of course, if a trojan or rogue program is already installed, it won't help.
You can also run netstat from terminal to see any active connections you have to the internet.

[barbarian]

Your computer can be checking for Software Updates or it could be synching the time to a time server.

But why would it be running a "find" command on our external hard disk when nothing else is running.

[Angus_D]

Originally posted by barbarian:
Your computer can be checking for Software Updates or it could be synching the time to a time server.

But why would it be running a "find" command on our external hard disk when nothing else is running.

It wouldn't.

What user is find running as? Look for it's parent process ID.
If you want to see what users there are on the system in the local netinfo database, "nidump passwd ." at a terminal. It's normal for there to be plenty of other users in there that you don't see in the Accounts preference pane.

[JNI]

Originally posted by barbarian:
Your computer can be checking for Software Updates or it could be synching the time to a time server.

But why would it be running a "find" command on our external hard disk when nothing else is running.

There are cron jobs that run daily/weekly/monthly that might be kicking in. E.g. in the daily script (see /etc/daily) there is one that runs find looking to clean up web server files. There's another one that runs find looking for scratch and temp files. And another one that cleans up 'NFS turds' (that's actually what it says in the comments!)

In the weekly cron job there's one that updates the locate db and that can do tons of disk activity. I've noticed that one every once in a while when doing some late night programming.

You could check the console and system log files. Most of the cron jobs log what and when they are doing stuff. You can also see whenever anyone logs in as root.