PS is not showing all processes owned by a user
Ofloo
bulk at ofloo.net
Wed May 30 18:37:08 UTC 2007
Tom Marchand wrote:
>
> These:
>
>> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh)
>> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux
>
> do not fit the criteria of the grep commands:
>
>>> spark# ps aux | grep psybnc | grep s00p
>
> which will only list entries containing psybnc and s00p, in that order.
>
>
> -------------- Original message ----------------------
> From: Chuck Swiger <cswiger at mac.com>
>> Ofloo wrote:
>> > Can someone explain me this !?
>> >
>> > spark# ps aux | grep psybnc | grep s00p
>> > s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25
>> ./psybnc
>> >
>> > spark# su s00p
>> > -(s00p at spark.ofloo.net)-(19:56:45)
>> > -(~/)-> ps aux
>> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh)
>> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux
>>
>> psybnc is an IRC relay agent; unless someone normally runs such things,
>> having
>> one of these processes appear but be "invisible" to top or normal
>> invocations
>> of ps is a possible indication that the system has been hacked.
>>
>> A typical pattern involves a user having their account password sniffed
>> via
>> wireless when reading email or whatever, and the attacker gains shell
>> access
>> to their email server (assuming it's a Unix system), and runs this. It
>> includes a generic remote filesharing capability and some kind of port
>> redirector ala netcat or SSH port forwarding, so the hacked machine can
>> be
>> used as a remote control channel to drive other compromised machines...
>>
>> > This came after a complaint from the user, who couldn't kill his
>> process,
>> > because it wasn't visible in his session, and he didn't su !?
>>
>> However, I'm not sure whether the above is relevant, if your user was
>> trying
>> to run this IRC agent. :-)
>>
>> --
>> -Chuck
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
The user didn't grep at all i just grep'ed from root user to provide, but it
did show under root user and not in user mode.
--
View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879924
Sent from the freebsd-questions mailing list archive at Nabble.com.
More information about the freebsd-questions
mailing list