Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 May 2007 18:08:14 +0000
From:      m0rchand@comcast.net (Tom Marchand)
To:        freebsd-questions@freebsd.org
Subject:   Re: PS is not showing all processes owned by a user
Message-ID:  <053020071808.13926.465DBD8E000CF85B0000366622007348300B020E080C9DCF03@comcast.net>

next in thread | raw e-mail | index | archive | help
These:

> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux

do not fit the criteria of the grep commands:

>> spark# ps aux | grep psybnc | grep s00p

which will only list entries containing psybnc and s00p, in that order.


 -------------- Original message ----------------------
From: Chuck Swiger <cswiger@mac.com>
> Ofloo wrote:
> > Can someone explain me this !?
> > 
> > spark# ps aux | grep psybnc | grep s00p
> > s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25 ./psybnc
> > 
> > spark# su s00p
> > -(s00p@spark.ofloo.net)-(19:56:45)                                              
> > -(~/)-> ps aux
> > USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
> > s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
> > s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
> 
> psybnc is an IRC relay agent; unless someone normally runs such things, having 
> one of these processes appear but be "invisible" to top or normal invocations 
> of ps is a possible indication that the system has been hacked.
> 
> A typical pattern involves a user having their account password sniffed via 
> wireless when reading email or whatever, and the attacker gains shell access 
> to their email server (assuming it's a Unix system), and runs this.  It 
> includes a generic remote filesharing capability and some kind of port 
> redirector ala netcat or SSH port forwarding, so the hacked machine can be 
> used as a remote control channel to drive other compromised machines...
> 
> > This came after a complaint from the user, who couldn't kill his process,
> > because it wasn't visible in his session, and he didn't su !?
> 
> However, I'm not sure whether the above is relevant, if your user was trying 
> to run this IRC agent.  :-)
> 
> -- 
> -Chuck
> 
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?053020071808.13926.465DBD8E000CF85B0000366622007348300B020E080C9DCF03>