Re: PS is not showing all processes owned by a user
Paul Fraser-3 wrote: You su'd to this account, so a new process was spawned under that UID. ps works as intended. Sorry for the top-post, doing the early morning commute again and this mail client on my Nokia is rather stubborn on where I put a reply. Cheers, Paul. On 5/30/07, Ofloo [EMAIL PROTECTED] wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10859328 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Regards, Paul Fraser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? Regards, Ofloo -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10875173 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
Ofloo wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be invisible to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
These: s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux do not fit the criteria of the grep commands: spark# ps aux | grep psybnc | grep s00p which will only list entries containing psybnc and s00p, in that order. -- Original message -- From: Chuck Swiger [EMAIL PROTECTED] Ofloo wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be invisible to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
Tom Marchand wrote: These: s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux do not fit the criteria of the grep commands: spark# ps aux | grep psybnc | grep s00p which will only list entries containing psybnc and s00p, in that order. -- Original message -- From: Chuck Swiger [EMAIL PROTECTED] Ofloo wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be invisible to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The user didn't grep at all i just grep'ed from root user to provide, but it did show under root user and not in user mode. -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879924 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
Chuck Swiger-2 wrote: Ofloo wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be invisible to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] No hacker would want to hide a process from a user it might want to hide a process from root user. Also if the hacker was able to hide a process from a user, it would of needed access to ps binary or freebsd source tree on that system, having that access the hacker would of tried other things and not hide a bnc from just a user account. -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879945 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
Ofloo wrote: [ ... ] No hacker would want to hide a process from a user it might want to hide a process from root user. Well, from all users-- agreed. Also if the hacker was able to hide a process from a user, it would of needed access to ps binary or freebsd source tree on that system, having that access the hacker would of tried other things and not hide a bnc from just a user account. Why, yes...at least, they'd certainly try to do so. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
Written by Ofloo on 05/30/07 13:38 Chuck Swiger-2 wrote: Ofloo wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux psybnc is an IRC relay agent; unless someone normally runs such things, having one of these processes appear but be invisible to top or normal invocations of ps is a possible indication that the system has been hacked. A typical pattern involves a user having their account password sniffed via wireless when reading email or whatever, and the attacker gains shell access to their email server (assuming it's a Unix system), and runs this. It includes a generic remote filesharing capability and some kind of port redirector ala netcat or SSH port forwarding, so the hacked machine can be used as a remote control channel to drive other compromised machines... This came after a complaint from the user, who couldn't kill his process, because it wasn't visible in his session, and he didn't su !? However, I'm not sure whether the above is relevant, if your user was trying to run this IRC agent. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] No hacker would want to hide a process from a user it might want to hide a process from root user. Also if the hacker was able to hide a process from a user, it would of needed access to ps binary or freebsd source tree on that system, having that access the hacker would of tried other things and not hide a bnc from just a user account. Not necessarily. I've had firsthand experience with a box that was compromised specifically to run a BNC so the abuser could mask his true location when being mischievous. In that regard, it suffices simply to hide the process from the compromised user account to keep the owner unaware anything has happened. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PS is not showing all processes owned by a user
Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10859328 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PS is not showing all processes owned by a user
You su'd to this account, so a new process was spawned under that UID. ps works as intended. Sorry for the top-post, doing the early morning commute again and this mail client on my Nokia is rather stubborn on where I put a reply. Cheers, Paul. On 5/30/07, Ofloo [EMAIL PROTECTED] wrote: Can someone explain me this !? spark# ps aux | grep psybnc | grep s00p s00p8777 0.0 0.3 43096 5716 p1- SFri06PM 4:30.25 ./psybnc spark# su s00p -([EMAIL PROTECTED])-(19:56:45) -(~/)- ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) s00p 67438 0.0 0.0 1420 908 pd R+7:56PM 0:00.00 ps aux -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10859328 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Regards, Paul Fraser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]