Chuck Swiger-2 wrote:
> Ofloo wrote:
>> Can someone explain me this !?
>> spark# ps aux | grep psybnc | grep s00p
>> s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25
>> ./psybnc
>> spark# su s00p
>> -([EMAIL PROTECTED])-(19:56:45)                                              
>> -(~/)-> ps aux
>> s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
>> s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux
> psybnc is an IRC relay agent; unless someone normally runs such things,
> having 
> one of these processes appear but be "invisible" to top or normal
> invocations 
> of ps is a possible indication that the system has been hacked.
> A typical pattern involves a user having their account password sniffed
> via 
> wireless when reading email or whatever, and the attacker gains shell
> access 
> to their email server (assuming it's a Unix system), and runs this.  It 
> includes a generic remote filesharing capability and some kind of port 
> redirector ala netcat or SSH port forwarding, so the hacked machine can be 
> used as a remote control channel to drive other compromised machines...
>> This came after a complaint from the user, who couldn't kill his process,
>> because it wasn't visible in his session, and he didn't su !?
> However, I'm not sure whether the above is relevant, if your user was
> trying 
> to run this IRC agent.  :-)
> -- 
> -Chuck
> _______________________________________________
> mailing list
> To unsubscribe, send any mail to

No hacker would want to hide a process from a user it might want to hide a
process from root user. Also if the hacker was able to hide a process from a
user, it would of needed access to ps binary or freebsd source tree on that
system, having that access the hacker would of tried other things and not
hide a bnc from just a user account.

View this message in context:
Sent from the freebsd-questions mailing list archive at

_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to