PS is not showing all processes owned by a user

Wed May 30 17:07:48 UTC 2007

Ofloo wrote:
> Can someone explain me this !?
> 
> spark# ps aux | grep psybnc | grep s00p
> s00p        8777  0.0  0.3 43096  5716  p1- S    Fri06PM   4:30.25 ./psybnc
> 
> spark# su s00p
> -(s00p at spark.ofloo.net)-(19:56:45)                                              
> -(~/)-> ps aux
> USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
> s00p 67431  4.0  0.1  4660  2828  pd  S     7:56PM   0:00.05 _su (tcsh)
> s00p 67438  0.0  0.0  1420   908  pd  R+    7:56PM   0:00.00 ps aux

psybnc is an IRC relay agent; unless someone normally runs such things, having 
one of these processes appear but be "invisible" to top or normal invocations 
of ps is a possible indication that the system has been hacked.

A typical pattern involves a user having their account password sniffed via 
wireless when reading email or whatever, and the attacker gains shell access 
to their email server (assuming it's a Unix system), and runs this.  It 
includes a generic remote filesharing capability and some kind of port 
redirector ala netcat or SSH port forwarding, so the hacked machine can be 
used as a remote control channel to drive other compromised machines...

> This came after a complaint from the user, who couldn't kill his process,
> because it wasn't visible in his session, and he didn't su !?

However, I'm not sure whether the above is relevant, if your user was trying 
to run this IRC agent.  :-)

-- 
-Chuck