PS is not showing all processes owned by a user

Ofloo bulk at ofloo.net
Wed May 30 18:38:09 UTC 2007 


Chuck Swiger-2 wrote:
> 
> Ofloo wrote:
>> Can someone explain me this !?
>> 
>> spark# ps aux | grep psybnc | grep s00p
>> s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25
>> ./psybnc
>> 
>> spark# su s00p
>> -(s00p at spark.ofloo.net)-(19:56:45)                                              
>> -(~/)-> ps aux
>> USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
>> s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
>> s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
> 
> psybnc is an IRC relay agent; unless someone normally runs such things,
> having 
> one of these processes appear but be "invisible" to top or normal
> invocations 
> of ps is a possible indication that the system has been hacked.
> 
> A typical pattern involves a user having their account password sniffed
> via 
> wireless when reading email or whatever, and the attacker gains shell
> access 
> to their email server (assuming it's a Unix system), and runs this.  It 
> includes a generic remote filesharing capability and some kind of port 
> redirector ala netcat or SSH port forwarding, so the hacked machine can be 
> used as a remote control channel to drive other compromised machines...
> 
>> This came after a complaint from the user, who couldn't kill his process,
>> because it wasn't visible in his session, and he didn't su !?
> 
> However, I'm not sure whether the above is relevant, if your user was
> trying 
> to run this IRC agent.  :-)
> 
> -- 
> -Chuck
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> 

No hacker would want to hide a process from a user it might want to hide a
process from root user. Also if the hacker was able to hide a process from a
user, it would of needed access to ps binary or freebsd source tree on that
system, having that access the hacker would of tried other things and not
hide a bnc from just a user account.

-- 
View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879945
Sent from the freebsd-questions mailing list archive at Nabble.com.

More information about the freebsd-questions mailing list