From owner-freebsd-questions Mon Jun 22 08:28:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA17719 for freebsd-questions-outgoing; Mon, 22 Jun 1998 08:28:45 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from ikhala.tcimet.net (ikhala.tcimet.net [198.109.166.215]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA17714 for ; Mon, 22 Jun 1998 08:28:43 -0700 (PDT) (envelope-from dervish@ikhala.tcimet.net) Received: (from dervish@localhost) by ikhala.tcimet.net (8.8.8/8.8.8) id LAA09743 for questions@freebsd.org; Mon, 22 Jun 1998 11:33:04 -0400 (EDT) (envelope-from dervish) From: bush doctor Message-Id: <199806221533.LAA09743@ikhala.tcimet.net> Subject: Re: Looking for hackers with netstat In-Reply-To: <358D2C1E.45A12711@globalserve.net> from Geoffrey Robinson at "Jun 21, 98 11:51:58 am" To: questions@FreeBSD.ORG Date: Mon, 22 Jun 1998 11:33:04 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Once upon a time said: > I've heard that hackers can hide their presence from the who and w commands. Just a question here. When one does the following: 1. setenv DISPLAY localmachine:0 # executed on remote host ... 2. xhost +remotemachine # executed on local host ... 3. command& # executed on remote host ... 4. in original window ... # executed on remote host ... I notice that my processes no longer show up in w or who commands ... is this one of the things hackers are doing to advoid detection. Processes does still show up with a `ps -axl' -- bush doctor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message