PS is not showing all processes owned by a user

Tom Marchand m0rchand at comcast.net
Wed May 30 18:08:16 UTC 2007 

These:

> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux

do not fit the criteria of the grep commands:

>> spark# ps aux | grep psybnc | grep s00p

which will only list entries containing psybnc and s00p, in that order.


 -------------- Original message ----------------------
From: Chuck Swiger <cswiger at mac.com>
> Ofloo wrote:
> > Can someone explain me this !?
> > 
> > spark# ps aux | grep psybnc | grep s00p
> > s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25 ./psybnc
> > 
> > spark# su s00p
> > -(s00p at spark.ofloo.net)-(19:56:45)                                              
> > -(~/)-> ps aux
> > USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
> 
> psybnc is an IRC relay agent; unless someone normally runs such things, having 
> one of these processes appear but be "invisible" to top or normal invocations 
> of ps is a possible indication that the system has been hacked.
> 
> A typical pattern involves a user having their account password sniffed via 
> wireless when reading email or whatever, and the attacker gains shell access 
> to their email server (assuming it's a Unix system), and runs this.  It 
> includes a generic remote filesharing capability and some kind of port 
> redirector ala netcat or SSH port forwarding, so the hacked machine can be 
> used as a remote control channel to drive other compromised machines...
> 
> > This came after a complaint from the user, who couldn't kill his process,
> > because it wasn't visible in his session, and he didn't su !?
> 
> However, I'm not sure whether the above is relevant, if your user was trying 
> to run this IRC agent.  :-)
> 
> -- 
> -Chuck
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list