Process List & Security??
Garrett Cooper
youshi10 at u.washington.edu
Wed Jan 10 13:22:25 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VeeJay wrote:
> Hi
>
> Can some good one at security side look into these running process? And see
> if there is a Process some is dangerous/ security breach which a Bad User
> has put? Thanks
>
> $ ps xa
> PID TT STAT TIME COMMAND
> 0 ?? WLs 0:00.00 [swapper]
> 1 ?? ILs 0:00.00 /sbin/init --
> 2 ?? DL 0:02.90 [g_event]
> 3 ?? DL 0:02.87 [g_up]
> 4 ?? DL 0:03.04 [g_down]
> 5 ?? DL 0:00.00 [thread taskq]
> 6 ?? DL 0:00.00 [acpi_task_0]
> 7 ?? DL 0:00.00 [acpi_task_1]
> 8 ?? DL 0:00.00 [acpi_task_2]
> 9 ?? DL 0:00.00 [kqueue taskq]
> 10 ?? RL 2775:10.56 [idle]
> 11 ?? WL 0:59.34 [swi4: clock sio]
> 12 ?? WL 0:00.00 [swi3: vm]
> 13 ?? WL 0:00.10 [swi1: net]
> 14 ?? DL 0:02.65 [yarrow]
> 15 ?? WL 0:00.00 [swi5: +]
> 16 ?? WL 0:00.00 [swi2: cambio]
> 17 ?? WL 0:00.00 [swi6: task queue]
> 18 ?? WL 0:00.00 [swi6: Giant taskq]
> 19 ?? WL 0:00.00 [irq9: acpi0]
> 20 ?? WL 0:00.22 [irq16: bce0 em0+]
> 21 ?? WL 0:00.32 [irq78: mfi0]
> 22 ?? WL 0:00.00 [irq17: em1]
> 23 ?? WL 0:00.00 [irq21: uhci0 uhci+]
> 24 ?? DL 0:00.01 [usb0]
> 25 ?? DL 0:00.00 [usbtask]
> 26 ?? WL 0:00.00 [irq20: uhci1]
> 27 ?? DL 0:00.01 [usb1]
> 28 ?? DL 0:00.01 [usb2]
> 29 ?? DL 0:00.01 [usb3]
> 30 ?? WL 0:00.00 [irq14: ata0]
> 31 ?? WL 0:00.00 [irq15: ata1]
> 32 ?? WL 0:00.00 [swi0: sio]
> 33 ?? WL 0:00.00 [irq1: atkbd0]
> 34 ?? DL 0:00.07 [pagedaemon]
> 35 ?? DL 0:00.00 [vmdaemon]
> 36 ?? DL 0:01.11 [pagezero]
> 37 ?? DL 0:00.30 [bufdaemon]
> 38 ?? DL 0:59.50 [syncer]
> 39 ?? DL 0:00.29 [vnlru]
> 40 ?? DL 0:00.43 [softdepflush]
> 41 ?? DL 0:01.41 [schedcpu]
> 151 ?? Is 0:00.00 adjkerntz -i
> 644 ?? Is 0:00.00 /sbin/devd
> 688 ?? Ss 0:00.14 /usr/sbin/syslogd -s
> 761 ?? Ss 0:00.09 /usr/sbin/usbd
> 809 ?? Is 0:00.06 /usr/sbin/sshd
> 815 ?? Ss 0:00.90 sendmail: accepting connections (sendmail)
> 819 ?? Is 0:00.02 sendmail: Queue runner at 00:30:00 for
> /var/spool/clientmqueue (sendmail)
> 825 ?? Is 0:00.22 /usr/sbin/cron -s
> 1007 ?? Ss 0:01.10 /usr/local/apache/bin/httpd
> 1008 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 1009 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 1010 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 1011 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 1012 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 1037 ?? I 0:00.00 /usr/local/apache/bin/httpd
> 7862 ?? Is 0:00.01 sshd: digill7b [priv] (sshd)
> 7866 ?? S 0:00.01 sshd: digill7b at ttyp0 (sshd)
> 866 v0 Is+ 0:00.00 /usr/libexec/getty Pc ttyv0
> 867 v1 Is+ 0:00.00 /usr/libexec/getty Pc ttyv1
> 868 v2 Is+ 0:00.00 /usr/libexec/getty Pc ttyv2
> 869 v3 Is+ 0:00.00 /usr/libexec/getty Pc ttyv3
> 870 v4 Is+ 0:00.00 /usr/libexec/getty Pc ttyv4
> 871 v5 Is+ 0:00.00 /usr/libexec/getty Pc ttyv5
> 872 v6 Is+ 0:00.00 /usr/libexec/getty Pc ttyv6
> 873 v7 Is+ 0:00.00 /usr/libexec/getty Pc ttyv7
> 7867 p0 Ss 0:00.00 -sh (sh)
> 7928 p0 R+ 0:00.00 ps xa
> 1015 p2- I 0:00.00 /bin/sh /usr/local/mysql/bin/mysqld_safe
> 1033 p2- S 0:11.97 /usr/local/mysql/libexec/mysqld
> --basedir=/usr/local/mysql --datadir=/var/db/mysql --user=mysql
> --pid-file=/var/db/mysql/localhost.maanjee.pid --port=33
Nothing out of the ordinary. Just make sure you have sendmail setup
properly so people can't send mail from the box without authentication
and effectively spam hordes of people. See saslauth about that in the
handbook.
- -Garrett
PS We (the list subscribers) aren't your sysadmins, and you should know
what these processes are if you're administering the box :)... manpages
reveal what you need to know about each process and Google searches
_may_ reveal further information..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFpOiPEnKyINQw/HARAlzwAJ4jmga5IPQ3NqjfGQlG9LHk9Aor/gCgpFBJ
iGaBODnu6KBcXDhZp96H2Bw=
=5Mgs
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list