[1892] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Help with : telnetd[...]: ttloop: peer

daemon@ATHENA.MIT.EDU (Brandon S. Allbery KF8NH)
Wed Jun 17 03:21:43 1998

To: linux-security@redhat.com
In-reply-to: Your message of "Mon, 15 Jun 1998 08:55:48 PDT."
             <Pine.LNX.3.96.980615084829.18085C-100000@darkstar.localdomain> 
Date: Tue, 16 Jun 1998 06:49:05 -0300
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

In message <Pine.LNX.3.96.980615084829.18085C-100000@darkstar.localdomain>, 
Kev
in Vajk writes:
+-----
| Also, do "ps aux" and look for any weird processes.
+--->8

If he's got nocturnal visitors, they may have replaced ps.  Try this instead:

#! /usr/bin/perl
opendir(D, '/proc');
while (defined ($_ = readdir(D))) {
    next unless /^\d+$/;
    open(F, "/proc/$_/cmdline") || next;
    local($/) = "\0";
    $did = 0;
    while (defined ($l = <F>)) {
	chomp;
	print "$_: " unless $did++;
	print $l;
    }
    close(F);
    print "$_: (none)" unless $did;
    print "\n";
}
closedir(D);

It's not perfect, but it's small and easy to use --- and easy to see if they 
changed it :-)
-- 
brandon s. allbery	   [team os/2][linux][japh]	 allbery@kf8nh.apk.net
system administrator, ece facilities			   allbery@ece.cmu.edu
carnegie mellon university			   (bsa@kf8nh is still valid.)

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post