From owner-freebsd-questions@FreeBSD.ORG Wed May 30 18:37:07 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E95D716A400 for ; Wed, 30 May 2007 18:37:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id C081413C4E1 for ; Wed, 30 May 2007 18:37:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1HtT2g-00011p-O7 for freebsd-questions@freebsd.org; Wed, 30 May 2007 11:37:06 -0700 Message-ID: <10879924.post@talk.nabble.com> Date: Wed, 30 May 2007 11:37:06 -0700 (PDT) From: Ofloo To: freebsd-questions@freebsd.org In-Reply-To: <053020071808.13926.465DBD8E000CF85B0000366622007348300B020E080C9DCF03@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: bulk@ofloo.net References: <10859328.post@talk.nabble.com> <053020071808.13926.465DBD8E000CF85B0000366622007348300B020E080C9DCF03@comcast.net> Subject: Re: PS is not showing all processes owned by a user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 18:37:08 -0000 Tom Marchand wrote: > > These: > >> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) >> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux > > do not fit the criteria of the grep commands: > >>> spark# ps aux | grep psybnc | grep s00p > > which will only list entries containing psybnc and s00p, in that order. > > > -------------- Original message ---------------------- > From: Chuck Swiger >> Ofloo wrote: >> > Can someone explain me this !? >> > >> > spark# ps aux | grep psybnc | grep s00p >> > s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 >> ./psybnc >> > >> > spark# su s00p >> > -(s00p@spark.ofloo.net)-(19:56:45) >> > -(~/)-> ps aux >> > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND >> > s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) >> > s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux >> >> psybnc is an IRC relay agent; unless someone normally runs such things, >> having >> one of these processes appear but be "invisible" to top or normal >> invocations >> of ps is a possible indication that the system has been hacked. >> >> A typical pattern involves a user having their account password sniffed >> via >> wireless when reading email or whatever, and the attacker gains shell >> access >> to their email server (assuming it's a Unix system), and runs this. It >> includes a generic remote filesharing capability and some kind of port >> redirector ala netcat or SSH port forwarding, so the hacked machine can >> be >> used as a remote control channel to drive other compromised machines... >> >> > This came after a complaint from the user, who couldn't kill his >> process, >> > because it wasn't visible in his session, and he didn't su !? >> >> However, I'm not sure whether the above is relevant, if your user was >> trying >> to run this IRC agent. :-) >> >> -- >> -Chuck >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > The user didn't grep at all i just grep'ed from root user to provide, but it did show under root user and not in user mode. -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879924 Sent from the freebsd-questions mailing list archive at Nabble.com.