From owner-freebsd-questions@FreeBSD.ORG Wed May 30 18:08:16 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C60F16A421 for ; Wed, 30 May 2007 18:08:16 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.152]) by mx1.freebsd.org (Postfix) with ESMTP id 0B48613C43E for ; Wed, 30 May 2007 18:08:16 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from rmailcenter06.comcast.net ([204.127.197.116]) by comcast.net (rwcrmhc12) with SMTP id <20070530180815m1200bkhhue>; Wed, 30 May 2007 18:08:15 +0000 Received: from [157.174.221.254] by rmailcenter06.comcast.net; Wed, 30 May 2007 18:08:14 +0000 From: m0rchand@comcast.net (Tom Marchand) To: freebsd-questions@freebsd.org Date: Wed, 30 May 2007 18:08:14 +0000 Message-Id: <053020071808.13926.465DBD8E000CF85B0000366622007348300B020E080C9DCF03@comcast.net> X-Mailer: AT&T Message Center Version 1 (Oct 4 2006) X-Authenticated-Sender: bTByY2hhbmRAY29tY2FzdC5uZXQ= Subject: Re: PS is not showing all processes owned by a user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 18:08:16 -0000 These: > > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) > > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux do not fit the criteria of the grep commands: >> spark# ps aux | grep psybnc | grep s00p which will only list entries containing psybnc and s00p, in that order. -------------- Original message ---------------------- From: Chuck Swiger > Ofloo wrote: > > Can someone explain me this !? > > > > spark# ps aux | grep psybnc | grep s00p > > s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 ./psybnc > > > > spark# su s00p > > -(s00p@spark.ofloo.net)-(19:56:45) > > -(~/)-> ps aux > > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) > > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux > > psybnc is an IRC relay agent; unless someone normally runs such things, having > one of these processes appear but be "invisible" to top or normal invocations > of ps is a possible indication that the system has been hacked. > > A typical pattern involves a user having their account password sniffed via > wireless when reading email or whatever, and the attacker gains shell access > to their email server (assuming it's a Unix system), and runs this. It > includes a generic remote filesharing capability and some kind of port > redirector ala netcat or SSH port forwarding, so the hacked machine can be > used as a remote control channel to drive other compromised machines... > > > This came after a complaint from the user, who couldn't kill his process, > > because it wasn't visible in his session, and he didn't su !? > > However, I'm not sure whether the above is relevant, if your user was trying > to run this IRC agent. :-) > > -- > -Chuck > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"