[1892] in linux-security and linux-alert archive
[linux-security] Re: Help with : telnetd[...]: ttloop: peer
daemon@ATHENA.MIT.EDU (Brandon S. Allbery KF8NH)
Wed Jun 17 03:21:43 1998
To: linux-security@redhat.com
In-reply-to: Your message of "Mon, 15 Jun 1998 08:55:48 PDT."
<Pine.LNX.3.96.980615084829.18085C-100000@darkstar.localdomain>
Date: Tue, 16 Jun 1998 06:49:05 -0300
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
In message <Pine.LNX.3.96.980615084829.18085C-100000@darkstar.localdomain>,
Kev
in Vajk writes:
+-----
| Also, do "ps aux" and look for any weird processes.
+--->8
If he's got nocturnal visitors, they may have replaced ps. Try this instead:
#! /usr/bin/perl
opendir(D, '/proc');
while (defined ($_ = readdir(D))) {
next unless /^\d+$/;
open(F, "/proc/$_/cmdline") || next;
local($/) = "\0";
$did = 0;
while (defined ($l = <F>)) {
chomp;
print "$_: " unless $did++;
print $l;
}
close(F);
print "$_: (none)" unless $did;
print "\n";
}
closedir(D);
It's not perfect, but it's small and easy to use --- and easy to see if they
changed it :-)
--
brandon s. allbery [team os/2][linux][japh] allbery@kf8nh.apk.net
system administrator, ece facilities allbery@ece.cmu.edu
carnegie mellon university (bsa@kf8nh is still valid.)
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null