 |
 Login
Main Menu
Search
|
Browsing this Thread:
1 Anonymous Users
| Poster |
Thread |
Rated: 5 Votes |
| |
Finding the culprit(s) | #1 |
Webmaster  
Joined: 2007/6/10
From Dallas, TX
Posts: 79 Level : 7 HP : 0 / 170 MP : 26 / 8761 EXP : 83
Group:
Webmasters
Registered Users
|
To know what exactly your server is doing is key to being a server administrator. To prevent others from being able to gain root privileges, and to be able to lock down a single user account, with their respective service is very important; and to be able to find out what account is responsible for the exploit is priceless. There are methods to find out what is running, and where it is running from. - This is the same for all Unix variants (Redhat, Fedore, CentOS, Gentoo, Debian, Suse etc....). A few applications that I believe every Linux/UNIX box should have are: grep - print lines matching a pattern lsof - List Open Files netstat - Print network connections, routing tables, interface statistics, masquerade connections, multicast memberships, and PID ps - report a snapshot of the current processes top - display Linux tasks kill - terminate a process killall - kill processes by name pkill - look up or signal processes based on name and other attributes htop - interactive process viewer nmap - Network exploration tool and security / port scanner and depending on who you are speaking with they may even recommend others. ############################################ With that said, to know the OS you are dealing with is also extremely relevant to being able to properly determine if the specified process is running properly. An example of seeing what your current processes are actually doing would be as follows: This will show the list of open files, and the directly they are running in (cwd = current working directory). Within it's output, you may see something similar to the following: [root@user-testbox logs]# lsof | grep cwd
init 1 root cwd DIR 3,2 4096 2 /
migration 2 root cwd DIR 3,2 4096 2 /
ksoftirqd 3 root cwd DIR 3,2 4096 2 /
watchdog/ 4 root cwd DIR 3,2 4096 2 /
migration 5 root cwd DIR 3,2 4096 2 /
ksoftirqd 6 root cwd DIR 3,2 4096 2 /
watchdog/ 7 root cwd DIR 3,2 4096 2 /
events/0 8 root cwd DIR 3,2 4096 2 /
events/1 9 root cwd DIR 3,2 4096 2 /
khelper 10 root cwd DIR 3,2 4096 2 /
kthread 11 root cwd DIR 3,2 4096 2 /
kblockd/0 15 root cwd DIR 3,2 4096 2 /
kblockd/1 16 root cwd DIR 3,2 4096 2 /
kacpid 17 root cwd DIR 3,2 4096 2 /
cqueue/0 106 root cwd DIR 3,2 4096 2 /
cqueue/1 107 root cwd DIR 3,2 4096 2 /
khubd 110 root cwd DIR 3,2 4096 2 /
kseriod 112 root cwd DIR 3,2 4096 2 /
hald-addo 2956 haldaemon cwd DIR 3,2 4096 196053 /usr/libexec
hald-addo 2967 haldaemon cwd DIR 3,2 4096 196053 /usr/libexec
hald-addo 2971 haldaemon cwd DIR 3,2 4096 196053 /usr/libexec
hald-addo 2981 root cwd DIR 3,2 4096 196053 /usr/libexec
modcluste 3062 root cwd DIR 3,2 4096 2 /
oddjobd 3118 root cwd DIR 3,2 4096 2 /
saslauthd 3149 root cwd DIR 3,3 4096 160011 /var/run/saslauthd
saslauthd 3150 root cwd DIR 3,3 4096 160011 /var/run/saslauthd
saslauthd 3151 root cwd DIR 3,3 4096 160011 /var/run/saslauthd
saslauthd 3152 root cwd DIR 3,3 4096 160011 /var/run/saslauthd
saslauthd 3153 root cwd DIR 3,3 4096 160011 /var/run/saslauthd
bash 4075 user cwd DIR 3,7 4096 983041 /home/user
su 4116 root cwd DIR 3,7 4096 983041 /home/user
httpd 22713 root cwd DIR 3,2 4096 2 /
httpd 22715 apache cwd DIR 3,2 4096 2 /
httpd 22716 apache cwd DIR 3,2 4096 2 /
httpd 22717 apache cwd DIR 3,2 4096 2 /
httpd 22718 apache cwd DIR 3,2 4096 2 /
httpd 22719 apache cwd DIR 3,2 4096 2 /
httpd 22720 apache cwd DIR 3,2 4096 2 /
httpd 22721 apache cwd DIR 3,2 4096 2 / Within the results you can clearly see where the file is being executed from. If the files are being executed from /tmp, this may potentially be a problem. In such an instance, I would advise on issuing the command: Now you are viewing the files in /tmp. Look for files owned by the nobody (apache user) process, and see if those files are legit. --- How do I know if the files are legit?? ----- If it is your server, you should know already. As well, if the application is running from /tmp, and you see the script/application PID (Process ID), you may issue the command: For example: This will yield all of the output for that process: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 22721 apache cwd DIR 3,2 4096 2 /
httpd 22721 apache rtd DIR 3,2 4096 2 /
httpd 22721 apache txt REG 3,2 312372 210168 /usr/sbin/httpd
httpd 22721 apache mem REG 3,2 114992 208468 /usr/lib/libaprutil-1.so.0.2.7
httpd 22721 apache mem REG 3,2 133056 2944116 /lib/libexpat.so.0.5.0
httpd 22721 apache mem REG 3,2 15704 2940532 /lib/libuuid.so.1.2
httpd 22721 apache mem REG 3,2 76400 2943773 /lib/libresolv-2.5.so
httpd 22721 apache mem REG 3,2 600052 222205 /usr/lib/libkrb5.so.3.3
httpd 22721 apache mem REG 3,2 101404 2943755 /lib/libnsl-2.5.so
httpd 22721 apache mem REG 3,2 7748 2943775 /lib/libcom_err.so.2.1
httpd 22721 apache mem REG 3,2 75028 201259 /usr/lib/libz.so.1.2.3
httpd 22721 apache mem REG 3,2 7880 2943761 /lib/libkeyutils-1.2.so
httpd 22721 apache mem REG 3,2 9628 916550 /usr/lib/httpd/modules/mod_auth_basic.so
httpd 22721 apache mem REG 3,2 9632 916552 /usr/lib/httpd/modules/mod_authn_alias.so
httpd 22721 apache mem REG 3,2 5500 916553 /usr/lib/httpd/modules/mod_authn_anon.so
httpd 22721 apache mem REG 3,2 5500 916555 /usr/lib/httpd/modules/mod_authn_dbm.so
httpd 22721 apache mem REG 3,2 160436 208319 /usr/lib/libapr-1.so.0.2.7
httpd 22721 apache mem REG 3,2 190712 222231 /usr/lib/libgssapi_krb5.so.2.2
httpd 22721 apache mem REG 3,2 157304 222185 /usr/lib/libk5crypto.so.3.1
httpd 22721 apache mem REG 3,2 5504 916556 /usr/lib/httpd/modules/mod_authn_default.so
httpd 22721 apache mem REG 3,2 5500 916564 /usr/lib/httpd/modules/mod_authz_user.so
httpd 22721 apache mem REG 3,2 9600 916563 /usr/lib/httpd/modules/mod_authz_owner.so
httpd 22721 apache mem REG 3,2 9668 916561 /usr/lib/httpd/modules/mod_authz_groupfile.so
httpd 22721 apache mem REG 3,2 9628 916559 /usr/lib/httpd/modules/mod_authz_dbm.so
httpd 22721 apache mem REG 3,2 5472 916560 /usr/lib/httpd/modules/mod_authz_default.so
httpd 22721 apache mem REG 3,2 26112 916558 /usr/lib/httpd/modules/mod_authnz_ldap.so
httpd 22721 apache mem REG 3,2 42588 916585 /usr/lib/httpd/modules/mod_include.so
httpd 22721 apache mem REG 3,2 22084 916588 /usr/lib/httpd/modules/mod_log_config.so
httpd 22721 apache mem REG 3,2 5496 916577 /usr/lib/httpd/modules/mod_env.so
httpd 22721 apache mem REG 3,2 17980 916579 /usr/lib/httpd/modules/mod_ext_filter.so
httpd 22721 apache mem REG 3,2 17916 916573 /usr/lib/httpd/modules/mod_deflate.so
httpd 22721 apache mem REG 3,2 9660 916608 /usr/lib/httpd/modules/mod_usertrack.so
httpd 22721 apache mem REG 3,2 9660 916602 /usr/lib/httpd/modules/mod_setenvif.so
httpd 22721 apache mem REG 3,2 17912 916592 /usr/lib/httpd/modules/mod_mime.so
httpd 22721 apache mem REG 3,2 87928 916570 /usr/lib/httpd/modules/mod_dav.so
httpd 22721 apache mem REG 3,2 17880 916604 /usr/lib/httpd/modules/mod_status.so
httpd 22721 apache mem REG 3,2 17992 916586 /usr/lib/httpd/modules/mod_info.so
httpd 22721 apache mem REG 3,2 9632 916610 /usr/lib/httpd/modules/mod_vhost_alias.so
httpd 22721 apache mem REG 3,2 30336 916594 /usr/lib/httpd/modules/mod_negotiation.so
httpd 22721 apache mem REG 3,2 9592 916574 /usr/lib/httpd/modules/mod_dir.so
httpd 22721 apache mem REG 3,2 9628 918159 /usr/lib/httpd/modules/mod_actions.so
httpd 22721 apache mem REG 3,2 9660 916603 /usr/lib/httpd/modules/mod_speling.so
httpd 22721 apache mem REG 3,2 9628 916607 /usr/lib/httpd/modules/mod_userdir.so
httpd 22721 apache mem REG 3,2 13752 916548 /usr/lib/httpd/modules/mod_alias.so
httpd 22721 apache mem REG 3,2 67480 916595 /usr/lib/httpd/modules/mod_proxy.so
httpd 22721 apache mem REG 3,2 30364 916599 /usr/lib/httpd/modules/mod_proxy_ftp.so
httpd 22721 apache mem REG 3,2 9632 916598 /usr/lib/httpd/modules/mod_proxy_connect.so
httpd 22721 apache mem REG 3,2 30328 916566 /usr/lib/httpd/modules/mod_cache.so
httpd 22721 apache mem REG 3,2 5496 916605 /usr/lib/httpd/modules/mod_suexec.so
httpd 22721 apache mem REG 3,2 17916 916575 /usr/lib/httpd/modules/mod_disk_cache.so
httpd 22721 apache mem REG 3,2 9772 916580 /usr/lib/httpd/modules/mod_file_cache.so
httpd 22721 apache mem REG 3,2 22076 916591 /usr/lib/httpd/modules/mod_mem_cache.so
httpd 22721 apache mem REG 3,2 22136 916568 /usr/lib/httpd/modules/mod_cgi.so
httpd 22721 apache mem REG 3,2 1009712 2944126 /lib/libdb-4.3.so
httpd 22721 apache mem REG 3,2 4324 209569 /usr/lib/libpspell.so.15.1.3
httpd 22721 apache mem REG 3,2 15716 199123 /usr/lib/libdistcache.so.1.0.1
httpd 22721 apache mem REG 3,2 34428 916565 /usr/lib/httpd/modules/mod_autoindex.so
httpd 22721 apache mem REG 3,2 213032 918023 /usr/lib/httpd/modules/mod_perl.so
httpd 22721 apache mem REG 3,2 16428 2940504 /lib/libdl-2.5.so
httpd 22721 apache mem REG 3,2 881927 216979 /usr/lib/sse2/libgmp.so.3.3.3
httpd 22721 apache mem REG 3,2 71852 212563 /usr/lib/libbz2.so.1.0.3
httpd 22721 apache mem REG 3,2 46548 2940528 /lib/libgcc_s-4.1.2-20080102.so.1
httpd 22721 apache mem REG 3,2 22016 916597 /usr/lib/httpd/modules/mod_proxy_balancer.so
httpd 22721 apache mem REG 3,2 248028 199960 /usr/lib/libcurl.so.3.0.0
httpd 22721 apache mem REG 3,2 5500 916609 /usr/lib/httpd/modules/mod_version.so
httpd 22721 apache mem REG 3,2 198584 199134 /usr/lib/libidn.so.11.5.19
httpd 22721 apache mem REG 3,2 30300 916596 /usr/lib/httpd/modules/mod_proxy_ajp.so
httpd 22721 apache mem REG 3,2 19948 224661 /usr/lib/php/modules/pdo_sqlite.so
httpd 22721 apache mem REG 3,2 45288 2940689 /lib/libcrypt-2.5.so
httpd 22721 apache mem REG 3,2 26236 916600 /usr/lib/httpd/modules/mod_proxy_http.so
httpd 22721 apache mem REG 3,2 167024 917750 /usr/lib/httpd/modules/mod_ssl.so
httpd 22721 apache mem REG 3,2 153384 201709 /usr/lib/libpng12.so.0.10.0
httpd 22721 apache mem REG 3,2 44204 216597 /usr/lib/php/modules/ldap.so
httpd 22721 apache mem REG 3,2 34148 222763 /usr/lib/libnal.so.1.0.1
httpd 22721 apache mem REG 3,2 82452 224631 /usr/lib/php/modules/pdo.so
httpd 22721 apache mem REG 3,2 15164 2944115 /lib/libutil-2.5.so
httpd 22721 apache mem REG 3,2 135716 219519 /usr/lib/libjpeg.so.62.0.0
httpd 22721 apache mem REG 3,2 385180 222627 /usr/lib/libsqlite3.so.0.8.6
httpd 22721 apache mem REG 3,2 46776 916571 /usr/lib/httpd/modules/mod_dav_fs.so
httpd 22721 apache mem REG 3,2 24360 1540119 /usr/lib/php/modules/snmp.so
httpd 22721 apache mem REG 3,2 32824 216984 /usr/lib/libwrap.so.0.7.6
httpd 22721 apache mem REG 3,2 208352 2944123 /lib/libm-2.5.so
httpd 22721 apache mem REG 3,2 770056 216978 /usr/lib/libaspell.so.15.1.3
httpd 22721 apache mem REG 3,2 106188 224821 /usr/lib/php/modules/mysqli.so
httpd 22721 apache mem REG 3,2 53776 221980 /usr/lib/liblber-2.3.so.0.2.15
httpd 22721 apache mem REG 3,2 5536 916590 /usr/lib/httpd/modules/mod_logio.so
httpd 22721 apache mem REG 3,2 240552 210592 /usr/lib/libldap-2.3.so.0.2.15
httpd 22721 apache mem REG 3,2 1597968 2942192 /lib/libc-2.5.so
httpd 22721 apache mem REG 3,2 46776 916587 /usr/lib/httpd/modules/mod_ldap.so
httpd 22721 apache mem REG 3,2 59196 916601 /usr/lib/httpd/modules/mod_rewrite.so
httpd 22721 apache mem REG 3,2 9660 916578 /usr/lib/httpd/modules/mod_expires.so
httpd 22721 apache mem REG 3,2 33648 221596 /usr/lib/libkrb5support.so.0.1
httpd 22721 apache mem REG 3,2 125736 2940519 /lib/ld-2.5.so
httpd 22721 apache mem REG 3,2 30272 916551 /usr/lib/httpd/modules/mod_auth_digest.so
httpd 22721 apache mem REG 3,2 125744 2944117 /lib/libpthread-2.5.so
httpd 22721 apache mem REG 3,2 13820 916582 /usr/lib/httpd/modules/mod_headers.so
httpd 22721 apache mem REG 3,2 93508 2943774 /lib/libselinux.so.1
httpd 22721 apache mem REG 3,2 46680 2940520 /lib/libnss_files-2.5.so
httpd 22721 apache mem REG 3,2 99028 222528 /usr/lib/libsasl2.so.2.0.22
httpd 22721 apache mem REG 3,2 281116 2943777 /lib/libssl.so.0.9.8b
httpd 22721 apache mem REG 3,2 23532 224867 /usr/lib/php/modules/pdo_mysql.so
httpd 22721 apache mem REG 3,2 242880 2943757 /lib/libsepol.so.1
httpd 22721 apache mem REG 3,2 93080 918157 /usr/lib/httpd/modules/mod_python.so
httpd 22721 apache mem REG 3,2 22348 916593 /usr/lib/httpd/modules/mod_mime_magic.so
httpd 22721 apache mem REG 3,2 118896 2943753 /lib/libpcre.so.0.0.1
httpd 22721 apache mem REG 3,2 5500 916557 /usr/lib/httpd/modules/mod_authn_file.so
httpd 22721 apache mem REG 3,2 28232 199964 /usr/lib/php/modules/dbase.so
httpd 22721 apache mem REG 3,2 9628 916562 /usr/lib/httpd/modules/mod_authz_host.so
httpd 22721 apache mem REG 3,2 331596 224666 /usr/lib/php/modules/gd.so
httpd 22721 apache mem REG 3,2 48996 224708 /usr/lib/php/modules/mysql.so
httpd 22721 apache mem REG 3,2 133868 199242 /usr/lib/libpq.so.4.1
httpd 22721 apache mem REG 3,2 1242192 2943776 /lib/libcrypto.so.0.9.8b
httpd 22721 apache mem REG 3,2 1241496 327625 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
httpd 22721 apache mem REG 3,2 3006748 917704 /usr/lib/httpd/modules/libphp5.so
httpd 22721 apache mem REG 3,2 1453308 751470 /usr/lib/mysql/libmysqlclient.so.15.0.0
httpd 22721 apache mem REG 3,2 1136208 218564 /usr/lib/libpython2.4.so.1.0
httpd 22721 apache mem REG 3,2 936908 222168 /usr/lib/libstdc++.so.6.0.8
httpd 22721 apache mem REG 3,2 526896 219501 /usr/lib/libfreetype.so.6.3.10
httpd 22721 apache mem REG 3,2 1250176 222369 /usr/lib/libxml2.so.2.6.26
httpd 22721 apache mem REG 3,2 629464 217010 /usr/lib/libnetsnmp.so.10.0.1
httpd 22721 apache DEL REG 0,8 26037404 /dev/zero
httpd 22721 apache DEL REG 0,8 26037402 /dev/zero
httpd 22721 apache DEL REG 0,8 26037397 /dev/zero
httpd 22721 apache 0r CHR 1,3 1258 /dev/null
httpd 22721 apache 1w CHR 1,3 1258 /dev/null
httpd 22721 apache 2w REG 3,3 5042 736130 /var/log/httpd/error_log
httpd 22721 apache 3r CHR 1,9 1676 /dev/urandom
httpd 22721 apache 4u IPv6 26037375 TCP *:http (LISTEN)
httpd 22721 apache 5u sock 0,5 26037376 can't identify protocol
httpd 22721 apache 6u IPv6 26037380 TCP *:https (LISTEN)
httpd 22721 apache 7u sock 0,5 26037381 can't identify protocol
httpd 22721 apache 8r FIFO 0,6 26037390 pipe
httpd 22721 apache 9w FIFO 0,6 26037390 pipe
httpd 22721 apache 10w REG 3,3 5042 736130 /var/log/httpd/error_log
httpd 22721 apache 11w REG 3,3 1185 736131 /var/log/httpd/ssl_error_log
httpd 22721 apache 12w REG 3,3 11498 736082 /var/log/httpd/access_log
httpd 22721 apache 13w REG 3,3 0 736041 /var/log/httpd/ssl_access_log
httpd 22721 apache 14w REG 3,3 0 736050 /var/log/httpd/ssl_request_log
httpd 22721 apache 15r 0000 0,10 0 26037413 eventpoll
httpd 22721 apache 17u unix 0xcd730280 26038282 socket Often within the results, you will be able to determine where the process is running from - in-other-words, if the apache process is doing something malicious, you should be able to determine within these results which user account is causing the issue (This is only if you are looking at the correct PID). ################################### IRC botnets can be quite a hassle to overcome, and do not often gain root privliges. issuing the command: can easily help you determine which process if running the bot net, and from those results, lsof -p the relating process to see where the process is being executed from, and from there you may own, and strip the permissions: Owning: chown -R root:root /path/to/file-or-directory-to/own Striping the permissions: chmod -R 0000 /path/to/file-or-directory-to/own After you have taken ownership of the file(s)/director{y,ies}, you will need to now kill the process. This can be tricky as often you will have a main process, and forked processes, and you must kill these like a tree. -- If you kill the root, the tree will die. --- Often there will be several processes to kill, not just 1. If the process is a perl application, you may enter the command: -- Please note this will terminate all perl related processes. There will be times when you attempt to kill the process, but the process does not die. These are the situations whereas the script is forked off, and there is still another application that must be terminated before you can stop the process. |
|
|
| |
Re: Finding the culprit(s) | #2 |
Webmaster Joined: 2007/6/10
From Dallas, TX
Posts: 79 Level : 7 HP : 0 / 170 MP : 26 / 8761 EXP : 83
Group:
Webmasters
Registered Users
|
Here's another example:Use " top" to see all of the processes - let's say we want to find out more about the process using the most amount of CPU usage: user@user-testbox ~ $ top
top - 23:39:07 up 1:18, 3 users, load average: 3.07, 1.80, 1.19
Tasks: 85 total, 1 running, 81 sleeping, 0 stopped, 3 zombie
Cpu(s): 1.5%us, 3.0%sy, 0.0%ni, 41.2%id, 54.0%wa, 0.2%hi, 0.2%si, 0.0%st
Mem: 497392k total, 491708k used, 5684k free, 147104k buffers
Swap: 2096472k total, 136k used, 2096336k free, 174108k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
14754 user 20 0 4144 1256 936 S 4 0.3 7:04.86 scp
14922 user 20 0 7832 5468 1616 S 3 1.1 4:25.72 ssh
15054 user 20 0 1744 604 380 D 1 0.1 0:03.33 du
196 root 20 0 0 0 0 D 1 0.0 0:03.45 pdflush
197 root 15 -5 0 0 0 S 1 0.0 0:07.60 kswapd0
78 root 15 -5 0 0 0 S 0 0.0 0:02.63 kblockd/0
1 root 20 0 1652 560 492 S 0 0.1 0:04.59 init
2 root 15 -5 0 0 0 S 0 0.0 0:00.01 kthreadd
3 root RT -5 0 0 0 S 0 0.0 0:00.02 migration/0
4 root 15 -5 0 0 0 S 0 0.0 0:01.01 ksoftirqd/0
5 root RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
6 root RT -5 0 0 0 S 0 0.0 0:00.02 migration/1
7 root 15 -5 0 0 0 S 0 0.0 0:00.86 ksoftirqd/1
8 root RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
9 root 15 -5 0 0 0 S 0 0.0 0:00.31 events/0
10 root 15 -5 0 0 0 S 0 0.0 0:00.31 events/1
11 root 15 -5 0 0 0 S 0 0.0 0:00.01 khelper
79 root 15 -5 0 0 0 S 0 0.0 0:00.46 kblockd/1
82 root 15 -5 0 0 0 S 0 0.0 0:00.00 kacpid
83 root 15 -5 0 0 0 S 0 0.0 0:00.00 kacpi_notify
154 root 15 -5 0 0 0 S 0 0.0 0:00.00 ata/0
155 root 15 -5 0 0 0 S 0 0.0 0:00.00 ata/1
156 root 15 -5 0 0 0 S 0 0.0 0:00.00 ata_aux
160 root 15 -5 0 0 0 S 0 0.0 0:00.00 kseriod
198 root 15 -5 0 0 0 S 0 0.0 0:00.00 aio/0
199 root 15 -5 0 0 0 S 0 0.0 0:00.00 aio/1
407 root 15 -5 0 0 0 S 0 0.0 0:00.00 iscsi_eh
463 root 15 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused
468 root 15 -5 0 0 0 S 0 0.0 0:00.01 kirqd
2160 root 15 -5 0 0 0 S 0 0.0 0:00.01 scsi_eh_0
2162 root 15 -5 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
4891 root 15 -5 0 0 0 S 0 0.0 0:00.00 scsi_tgtd/0
4892 root 15 -5 0 0 0 S 0 0.0 0:00.00 scsi_tgtd/1
6651 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksuspend_usbd
6657 root 15 -5 0 0 0 S 0 0.0 0:00.03 khubd
7505 root 15 -5 0 0 0 S 0 0.0 0:00.00 khpsbpkt
7877 root 15 -5 0 0 0 S 0 0.0 0:00.00 kstriped
8269 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksnapd
8526 root 15 -5 0 0 0 S 0 0.0 0:00.00 dm-bbr/0
8527 root 15 -5 0 0 0 S 0 0.0 0:00.00 dm-bbr/1
8821 root 15 -5 0 0 0 S 0 0.0 0:00.00 jfsIO
8822 root 15 -5 0 0 0 S 0 0.0 0:00.00 jfsCommit
8823 root 15 -5 0 0 0 S 0 0.0 0:00.00 jfsCommit
8824 root 15 -5 0 0 0 S 0 0.0 0:00.00 jfsSync
8982 root 15 -5 0 0 0 S 0 0.0 0:00.00 rpciod/0
8983 root 15 -5 0 0 0 S 0 0.0 0:00.00 rpciod/1
9011 root 15 -5 0 0 0 S 0 0.0 0:00.00 nfsiod
9143 root 15 -5 0 0 0 S 0 0.0 0:00.00 xfs_mru_cache
9144 root 15 -5 0 0 0 S 0 0.0 0:00.00 xfslogd/0Use " lsof" to see where the process is being run from (it would matter if it were relevant [such as an unwanted user logging in]): user@user-testbox ~ $ lsof -p 14754
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
scp 14754 user cwd DIR 3,3 4096 1155081 /home/user/backdoor
scp 14754 user rtd DIR 3,3 4096 2 /
scp 14754 user txt REG 3,3 50820 2476179 /usr/bin/scp
scp 14754 user mem REG 3,3 38336 2433993 /lib/libnss_files-2.9.so
scp 14754 user mem REG 3,3 38376 2433311 /lib/libnss_nis-2.9.so
scp 14754 user mem REG 3,3 26260 2434128 /lib/libnss_compat-2.9.so
scp 14754 user mem REG 3,3 71328 2434000 /lib/libresolv-2.9.so
scp 14754 user mem REG 3,3 50776 2507237 /usr/lib/liblber-2.3.so.0.2.31
scp 14754 user mem REG 3,3 1290524 2434152 /lib/libc-2.9.so
scp 14754 user mem REG 3,3 38232 2434150 /lib/libcrypt-2.9.so
scp 14754 user mem REG 3,3 79544 2433999 /lib/libnsl-2.9.so
scp 14754 user mem REG 3,3 75160 2394301 /lib/libz.so.1.2.3
scp 14754 user mem REG 3,3 9624 2434149 /lib/libutil-2.9.so
scp 14754 user mem REG 3,3 212396 2507248 /usr/lib/libldap-2.3.so.0.2.31
scp 14754 user mem REG 3,3 9608 2434130 /lib/libdl-2.9.so
scp 14754 user mem REG 3,3 1343932 2492707 /usr/lib/libcrypto.so.0.9.8
scp 14754 user mem REG 3,3 278460 2492710 /usr/lib/libssl.so.0.9.8
scp 14754 user mem REG 3,3 117196 2434146 /lib/ld-2.9.so
scp 14754 user 0u CHR 4,1 0t0 3081 /dev/tty1
scp 14754 user 1u CHR 4,1 0t0 3081 /dev/tty1
scp 14754 user 2u CHR 4,1 0t0 3081 /dev/tty1
scp 14754 user 3w REG 3,3 0 2426847 /home/user/backdoor/usr/share/locale/th/LC_MESSAGES/gnome-media-2.0.mo
scp 14754 user 6w FIFO 0,6 0t0 13596 pipe
scp 14754 user 7w FIFO 0,6 0t0 13715 pipe
scp 14754 user 8w FIFO 0,6 0t0 16788 pipe
scp 14754 user 9w FIFO 0,6 0t0 17513 pipe
scp 14754 user 10r FIFO 0,6 0t0 17514 pipe Use " ps" to view what command was used to run the process: user@user-testbox ~ $ ps axlf | grep 14754
0 1000 14754 14440 20 0 4144 1256 sync_b D+ tty1 7:05 \_ scp -r -P33988 root@192.168.14.5:/bin root@192.168.14.5:/home root@192.168.14.5:/sbin root@192.168.14.5:/usr root@192.168.14.5:/etc root@192.168.14.5:/lib root@192.168.14.5:/opt root@192.168.14.5:/root root@192.168.14.5:/var .
0 1000 14755 14754 20 0 0 0 exit Z+ tty1 0:00 \_ [ssh] <defunct>
0 1000 14756 14754 20 0 0 0 exit Z+ tty1 0:04 \_ [ssh] <defunct>
0 1000 14788 14754 20 0 0 0 exit Z+ tty1 0:00 \_ [ssh] <defunct>
0 1000 14922 14754 20 0 7832 5468 select S+ tty1 4:26 \_ /usr/bin/ssh -x -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -p33988 -lroot 192.168.14.5 scp -r -d -f /usr
user@user-testbox ~ $
|
|
|
 You cannot start a new topic.
 You can view topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.
|
|
|
|
Links
|
skimpydog.com Forum Index
Finding the culprit(s)
Bottom 
Previous Topic 
Next Topic
Topic options
Threaded
Newest First
skimpydog
Visit Website
Top 
