kasia in a nutshell

ooooo.... that's spooky, isn't it?

What kernel are you running? And what was the last reboot before the one that fixed this?

odd

When I get weirdness like that, I say to heck with "ps" and I just go digging around in /proc . Depending on your distribution, "ps" itself might just go digging around in /proc as well. If that's the case, it could be a variety of things:

1) /proc needs the equivalent of an fsck (which sounds odd, but when you remember that it is just another filesystem with inodes and the like, it isn't so odd), which a reboot does

2) you've got some weird caching/race-condition going on when reading from /proc such that only part of the date got written to the region of memory that that "file" under /proc corresponded to as all of it was being read.

3) you've got some old kernel module around in memory that thinks the process time structure is slightly different than what it is - if the reboot rebuilt your module list you may not be able to ever repeat this

4) possible, but unlikely - a memory based hack/worm that sets up a separate process and hacks the part of the kernel that lists the processes so that it won't be listed exhibits the same problem as in (3).

#4 is highly unlikely as all such things that I've come across (usually due to script kiddies) don't hack the kernel but instead replace the "ps" executable, which leaves /proc intact (hence why I always go digging there if something doesn't make sense).

Whatever it was, if you ever find out, be sure to let us know.

root 1413 1387 0 17:26 pts/2 00:00:00 ps -ef
root 1414 1387 0 17:26 pts/2 00:00:00 grep ps
[root@localhost kevin]#

hay me 2...... ehh?..... (rh8.0)

Kevin, the problem is the process date.. yours look fine, mine apparently thinks I ran the ps back on March 20th :)

Aie, me feel better now. Twas herding Java applets all week. First for me.