[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Unusual ps command output
- Subject: [cobalt-security] Unusual ps command output
- From: "Chris Moreton" <chrismo2002@xxxxxxxxxxx>
- Date: Sun, 11 Nov 2001 22:50:59 +0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I periodically send myself a file from my RaQ4 built up of output from the
"ps -efw" command built up througout the day. Normally, I get output in the
form
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Nov08 ? 00:00:04 init
root 2 1 0 Nov08 ? 00:00:15 [kflushd]
root 3 1 0 Nov08 ? 00:00:18 [kupdate]
root 4 1 0 Nov08 ? 00:00:00 [kpiod]
etcetera...
But today I got the output below. What strikes me is that the headings are
different and the appearance of the name "r00t". My server has been
compromised twice recently, and on each occasion I have noticed that the "ps
-ef" command has produced minimal output like below and that in order to get
what I expect I need to do "ps -aux".
On both these occasions I rebuilt the server and applied all the security
patches from cobalt. Also, being very paranoid, I turned off all the FTP,
DNS and Email services and my ISP closed all unnessecary ports following the
rebuild.
Does anyone know how to explain this?
PID TTY STAT TIME COMMAND
11301 p0 S 0:00 -sh HOME=/root USER=root LOGNAME=root
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root
SHELL=/bin/sh SSH_CLIENT=1
23216 p0 S 0:00 \_ sh ./r00t 194 105 LESSOPEN=|/usr/bin/lesspipe.sh %s
HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0
MAIL=/v
23230 p0 R 10:01 \_ ./scan 194 53 105 LESSOPEN=|/usr/bin/lesspipe.sh
%s HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0
MAI
30013 p1 S 0:00 -sh HOME=/root USER=root LOGNAME=root
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root
SHELL=/bin/sh SSH_CLIENT=2
Thanks,
Chris
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp