PS is not showing all processes owned by a user
Tom Marchand
m0rchand at comcast.net
Wed May 30 18:08:16 UTC 2007
These:
> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh)
> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux
do not fit the criteria of the grep commands:
>> spark# ps aux | grep psybnc | grep s00p
which will only list entries containing psybnc and s00p, in that order.
-------------- Original message ----------------------
From: Chuck Swiger <cswiger at mac.com>
> Ofloo wrote:
> > Can someone explain me this !?
> >
> > spark# ps aux | grep psybnc | grep s00p
> > s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 ./psybnc
> >
> > spark# su s00p
> > -(s00p at spark.ofloo.net)-(19:56:45)
> > -(~/)-> ps aux
> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh)
> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux
>
> psybnc is an IRC relay agent; unless someone normally runs such things, having
> one of these processes appear but be "invisible" to top or normal invocations
> of ps is a possible indication that the system has been hacked.
>
> A typical pattern involves a user having their account password sniffed via
> wireless when reading email or whatever, and the attacker gains shell access
> to their email server (assuming it's a Unix system), and runs this. It
> includes a generic remote filesharing capability and some kind of port
> redirector ala netcat or SSH port forwarding, so the hacked machine can be
> used as a remote control channel to drive other compromised machines...
>
> > This came after a complaint from the user, who couldn't kill his process,
> > because it wasn't visible in his session, and he didn't su !?
>
> However, I'm not sure whether the above is relevant, if your user was trying
> to run this IRC agent. :-)
>
> --
> -Chuck
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list