Ofloo wrote:
Can someone explain me this !?
spark# ps aux | grep psybnc | grep s00p
s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 ./psybnc
spark# su s00p
-([EMAIL PROTECTED])-(19:56:45)
-(~/)-> ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh)
s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux
psybnc is an IRC relay agent; unless someone normally runs such things, having
one of these processes appear but be "invisible" to top or normal invocations
of ps is a possible indication that the system has been hacked.
A typical pattern involves a user having their account password sniffed via
wireless when reading email or whatever, and the attacker gains shell access
to their email server (assuming it's a Unix system), and runs this. It
includes a generic remote filesharing capability and some kind of port
redirector ala netcat or SSH port forwarding, so the hacked machine can be
used as a remote control channel to drive other compromised machines...
This came after a complaint from the user, who couldn't kill his process,
because it wasn't visible in his session, and he didn't su !?
However, I'm not sure whether the above is relevant, if your user was trying
to run this IRC agent. :-)
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
