Chuck Swiger-2 wrote: > > Ofloo wrote: >> Can someone explain me this !? >> >> spark# ps aux | grep psybnc | grep s00p >> s00p 8777 0.0 0.3 43096 5716 p1- S Fri06PM 4:30.25 >> ./psybnc >> >> spark# su s00p >> -([EMAIL PROTECTED])-(19:56:45) >> -(~/)-> ps aux >> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND >> s00p 67431 4.0 0.1 4660 2828 pd S 7:56PM 0:00.05 _su (tcsh) >> s00p 67438 0.0 0.0 1420 908 pd R+ 7:56PM 0:00.00 ps aux > > psybnc is an IRC relay agent; unless someone normally runs such things, > having > one of these processes appear but be "invisible" to top or normal > invocations > of ps is a possible indication that the system has been hacked. > > A typical pattern involves a user having their account password sniffed > via > wireless when reading email or whatever, and the attacker gains shell > access > to their email server (assuming it's a Unix system), and runs this. It > includes a generic remote filesharing capability and some kind of port > redirector ala netcat or SSH port forwarding, so the hacked machine can be > used as a remote control channel to drive other compromised machines... > >> This came after a complaint from the user, who couldn't kill his process, >> because it wasn't visible in his session, and he didn't su !? > > However, I'm not sure whether the above is relevant, if your user was > trying > to run this IRC agent. :-) > > -- > -Chuck > > > _______________________________________________ > firstname.lastname@example.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > >
No hacker would want to hide a process from a user it might want to hide a process from root user. Also if the hacker was able to hide a process from a user, it would of needed access to ps binary or freebsd source tree on that system, having that access the hacker would of tried other things and not hide a bnc from just a user account. -- View this message in context: http://www.nabble.com/PS-is-not-showing-all-processes-owned-by-a-user-tf3835565.html#a10879945 Sent from the freebsd-questions mailing list archive at Nabble.com. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"