From owner-freebsd-questions@FreeBSD.ORG  Fri Aug  8 17:09:16 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F2800106567A
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Aug 2008 17:09:16 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.freebsd.org (Postfix) with ESMTP id 95D668FC2F
	for <freebsd-questions@freebsd.org>;
	Fri,  8 Aug 2008 17:09:16 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1])
	by dan.emsphone.com (8.14.3/8.14.2) with ESMTP id m78H9FhG091001
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>;
	Fri, 8 Aug 2008 12:09:15 -0500 (CDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.3/8.14.2/Submit) id m78H9DX0090997;
	Fri, 8 Aug 2008 12:09:13 -0500 (CDT) (envelope-from dan)
Date: Fri, 8 Aug 2008 12:09:13 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Agus <agus.262@gmail.com>
Message-ID: <20080808170913.GD68181@dan.emsphone.com>
References: <fda61bb50808071459g5f928845vb770c0fbf41bec48@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <fda61bb50808071459g5f928845vb770c0fbf41bec48@mail.gmail.com>
X-OS: FreeBSD 7.0-STABLE
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Weird Processes on my server from user....
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2008 17:09:17 -0000

In the last episode (Aug 07), Agus said:
> Hi guys,
> 
> Checking my server i found this processess....The user doesnt appear
> doing w..so its like if he was doing an scp or something like
> that...though in this case its sftp... But i read the man and doesnt
> have much information..so i dont understand what is going in the
> background with this proccesess or how can i check it...
> 
> the user is deamon and is a registered user...
> here is the pstree output:
> 
>  | |-+= 74888 root sshd: deamon [priv] (sshd)
>  | | \-+- 74891 deamon sshd: deamon@notty (sshd)
>  | |   \-+= 74892 deamon csh -c /usr/libexec/sftp-server
>  | |     \--- 74893 deamon /usr/libexec/sftp-server

I think you'll see this if the user is sftp'ing over SSHv1; the
sftp-server component has to be launched via a shell login because
SSHv1 doesn't have subsystems.

-- 
	Dan Nelson
	dnelson@allantgroup.com