From owner-freebsd-questions@FreeBSD.ORG Wed Feb 15 21:32:38 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B49016A420 for ; Wed, 15 Feb 2006 21:32:38 +0000 (GMT) (envelope-from lloyd.peterson@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A04443D49 for ; Wed, 15 Feb 2006 21:32:37 +0000 (GMT) (envelope-from lloyd.peterson@gmail.com) Received: by xproxy.gmail.com with SMTP id s19so1057853wxc for ; Wed, 15 Feb 2006 13:32:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uExOVib7MUJQomBgPAutEz58z35o5YYhGerOxlJ30h+liJ4w7YhQKn87Vj+m2K66+14pkfc0tS4s+E/zqxv0akWwUkNgX2hrkfbOfAO9ZEgS/H8e46IewyYnvevYJZ1ZjvgAtSyC6UvxwSjZ9cBhGOZTQ5XkKCyhNDl3gvq1aaM= Received: by 10.70.126.3 with SMTP id y3mr173436wxc; Wed, 15 Feb 2006 13:32:36 -0800 (PST) Received: by 10.70.62.11 with HTTP; Wed, 15 Feb 2006 13:32:36 -0800 (PST) Message-ID: <95550eab0602151332n20ff5e27w1ae17e9e114515b6@mail.gmail.com> Date: Wed, 15 Feb 2006 16:32:36 -0500 From: Aaron Peterson To: Glenn McCalley In-Reply-To: <002601c6326e$da0fd5a0$6601a8c0@bnetmd.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <005701c63241$dbb3e220$6601a8c0@bnetmd.net> <43F3531E.8080205@cs.tu-berlin.de> <002601c6326e$da0fd5a0$6601a8c0@bnetmd.net> Cc: freebsd-questions@freebsd.org Subject: Re: how to tell what ran what X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 21:32:38 -0000 On 2/15/06, Glenn McCalley wrote: > > ----- Original Message ----- > From: "Bj=F6rn K=F6nig" > To: "Glenn McCalley" > Cc: > Sent: Wednesday, February 15, 2006 11:13 AM > Subject: Re: how to tell what ran what > > > > Glenn McCalley schrieb: > > > > > Is there a way to find out -which- -process- calls another process? > > > > Each process is associated with a parent; look at the ppid column: > > > > ps axo user,pid,ppid,command > > > > Bj=F6rn > > > > > Thanks, I stated the question poorly. My fault. > Is historical info available and is it available by file name? > > I trying to find out (for example) what (unknown) program ran another > (known) program between 0900 and 1000 yesterday - something like that. > > I've got a customer sending our emails that he shouldn't - I don't know > which customer it is. The program that sends the mail is running as a cg= i > so it all shows up as user "nobody". > > If I can get a list of what programs, path and file name, called sendmail > over (say) the last 24 hours, one of them should jump off the page with a= n > unreasonable level of activitiy. > > Thanks! > Glenn. Perhaps I'm missing something, but if a script is being called via CGI it would need to be called by a process running as user "nobody" in your case (like a web server). In which case, you probably will never know who called it, but you might get their IP address from the web server access logs as has already been mentioned... If you have a server with multiple accounts for say, shared web hosting, you should definitely grep through their scripts for something like "mail" to look for the person who installed scripts with mailing functions...=20 anyhow, wish you luck :-) Aaron