From owner-freebsd-questions@FreeBSD.ORG Wed May 30 17:07:48 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EEFA16A469 for ; Wed, 30 May 2007 17:07:48 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 7186913C484 for ; Wed, 30 May 2007 17:07:48 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id C1FE75E7C; Wed, 30 May 2007 13:07:47 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezzgqdz6KOEi; Wed, 30 May 2007 13:07:45 -0400 (EDT) Received: from [192.168.1.3] (pool-71-190-78-62.nycmny.east.verizon.net [71.190.78.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 665AE5E05; Wed, 30 May 2007 13:07:45 -0400 (EDT) Message-ID: <465DAF5A.1030103@mac.com> Date: Wed, 30 May 2007 13:07:38 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Ofloo References: <10859328.post@talk.nabble.com> In-Reply-To: <10859328.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: PS is not showing all processes owned by a user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 17:07:48 -0000 Ofloo wrote: > Can someone explain me this !? > > spark# ps aux | grep psybnc | grep s00p > s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 ./psybnc > > spark# su s00p > -(s00p@spark.ofloo.net)-(19:56:45) > -(~/)-> ps aux > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be "invisible" to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... > This came after a complaint from the user, who couldn't kill his process, > because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck