[cobalt-security] Unusual ps command output

["Chris Moreton" <chrismo2002@xxxxxxxxxxx>]

Hi,

I periodically send myself a file from my RaQ4 built up of output from the 
"ps -efw" command built up througout the day.  Normally, I get output in the 
form

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Nov08 ?        00:00:04 init
root         2     1  0 Nov08 ?        00:00:15 [kflushd]
root         3     1  0 Nov08 ?        00:00:18 [kupdate]
root         4     1  0 Nov08 ?        00:00:00 [kpiod]

etcetera...

But today I got the output below.  What strikes me is that the headings are 
different and the appearance of the name "r00t".  My server has been 
compromised twice recently, and on each occasion I have noticed that the "ps 
-ef" command has produced minimal output like below and that in order to get 
what I expect I need to do "ps -aux".

On both these occasions I rebuilt the server and applied all the security 
patches from cobalt.  Also, being very paranoid, I turned off all the FTP, 
DNS and Email services and my ISP closed all unnessecary ports following the 
rebuild.

Does anyone know how to explain this?

 PID TTY STAT  TIME COMMAND
11301  p0 S    0:00 -sh HOME=/root USER=root LOGNAME=root 
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root 
SHELL=/bin/sh SSH_CLIENT=1
23216  p0 S    0:00  \_ sh ./r00t 194 105 LESSOPEN=|/usr/bin/lesspipe.sh %s 
HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0 
MAIL=/v
23230  p0 R   10:01      \_ ./scan 194 53 105 LESSOPEN=|/usr/bin/lesspipe.sh 
%s HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0 
MAI
30013  p1 S    0:00 -sh HOME=/root USER=root LOGNAME=root 
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root 
SHELL=/bin/sh SSH_CLIENT=2

Thanks,
Chris

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp