From owner-freebsd-questions@FreeBSD.ORG Wed May 30 19:25:40 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 36EB916A41F for ; Wed, 30 May 2007 19:25:40 +0000 (UTC) (envelope-from lreid@cs.okstate.edu) Received: from a.cs.okstate.edu (a.cs.okstate.edu [139.78.113.1]) by mx1.freebsd.org (Postfix) with ESMTP id 1764F13C44B for ; Wed, 30 May 2007 19:25:39 +0000 (UTC) (envelope-from lreid@cs.okstate.edu) Received: from [172.18.0.137] (sky_cpfw-1.tulsatech.org [70.168.226.130]) by a.cs.okstate.edu (Postfix) with ESMTP id CA224A062E; Wed, 30 May 2007 14:25:38 -0500 (CDT) Message-ID: <465DCFB0.4090604@cs.okstate.edu> Date: Wed, 30 May 2007 14:25:36 -0500 From: Reid Linnemann User-Agent: Thunderbird 2.0.0.0 (X11/20070517) MIME-Version: 1.0 To: Ofloo References: <10859328.post@talk.nabble.com> <465DAF5A.1030103@mac.com> <10879945.post@talk.nabble.com> In-Reply-To: <10879945.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: PS is not showing all processes owned by a user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 19:25:40 -0000 Written by Ofloo on 05/30/07 13:38>> > > Chuck Swiger-2 wrote: >> Ofloo wrote: >>> Can someone explain me this !? >>> >>> spark# ps aux | grep psybnc | grep s00p >>> s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 >>> ./psybnc >>> >>> spark# su s00p >>> -(s00p@spark.ofloo.net)-(19:56:45) >>> -(~/)-> ps aux >>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND >>> s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) >>> s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux >> psybnc is an IRC relay agent; unless someone normally runs such things, >> having >> one of these processes appear but be "invisible" to top or normal >> invocations >> of ps is a possible indication that the system has been hacked. >> >> A typical pattern involves a user having their account password sniffed >> via >> wireless when reading email or whatever, and the attacker gains shell >> access >> to their email server (assuming it's a Unix system), and runs this. It >> includes a generic remote filesharing capability and some kind of port >> redirector ala netcat or SSH port forwarding, so the hacked machine can be >> used as a remote control channel to drive other compromised machines... >> >>> This came after a complaint from the user, who couldn't kill his process, >>> because it wasn't visible in his session, and he didn't su !? >> However, I'm not sure whether the above is relevant, if your user was >> trying >> to run this IRC agent. :-) >> >> -- >> -Chuck >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >> > > No hacker would want to hide a process from a user it might want to hide a > process from root user. Also if the hacker was able to hide a process from a > user, it would of needed access to ps binary or freebsd source tree on that > system, having that access the hacker would of tried other things and not > hide a bnc from just a user account. > Not necessarily. I've had firsthand experience with a box that was compromised specifically to run a BNC so the abuser could mask his true location when being mischievous. In that regard, it suffices simply to hide the process from the compromised user account to keep the owner unaware anything has happened.