PS is not showing all processes owned by a user

Ofloo bulk at ofloo.net
Wed May 30 18:37:08 UTC 2007 


Tom Marchand wrote:
> 
> These:
> 
>> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
>> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
> 
> do not fit the criteria of the grep commands:
> 
>>> spark# ps aux | grep psybnc | grep s00p
> 
> which will only list entries containing psybnc and s00p, in that order.
> 
> 
>  -------------- Original message ----------------------
> From: Chuck Swiger <cswiger at mac.com>
>> Ofloo wrote:
>> > Can someone explain me this !?
>> > 
>> > spark# ps aux | grep psybnc | grep s00p
>> > s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25
>> ./psybnc
>> > 
>> > spark# su s00p
>> > -(s00p at spark.ofloo.net)-(19:56:45)                                              
>> > -(~/)-> ps aux
>> > USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
>> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
>> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
>> 
>> psybnc is an IRC relay agent; unless someone normally runs such things,
>> having 
>> one of these processes appear but be "invisible" to top or normal
>> invocations 
>> of ps is a possible indication that the system has been hacked.
>> 
>> A typical pattern involves a user having their account password sniffed
>> via 
>> wireless when reading email or whatever, and the attacker gains shell
>> access 
>> to their email server (assuming it's a Unix system), and runs this.  It 
>> includes a generic remote filesharing capability and some kind of port 
>> redirector ala netcat or SSH port forwarding, so the hacked machine can
>> be 
>> used as a remote control channel to drive other compromised machines...
>> 
>> > This came after a complaint from the user, who couldn't kill his
>> process,
>> > because it wasn't visible in his session, and he didn't su !?
>> 
>> However, I'm not sure whether the above is relevant, if your user was
>> trying 
>> to run this IRC agent.  :-)
>> 
>> -- 
>> -Chuck
>> 
>> 
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> 
The user didn't grep at all i just grep'ed from root user to provide, but it
did show under root user and not in user mode.
-- 
View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879924
Sent from the freebsd-questions mailing list archive at Nabble.com.

More information about the freebsd-questions mailing list