Re: finding hidden processes

To: debian-security@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: finding hidden processes
From: Tarjei Huse <tarjei@nu.no>
Date: Mon, 03 Dec 2001 19:29:44 +0100
Message-id: <[🔎] 3C0BC498.8D3E6906@nu.no>
References: <20011129042445.A28137@fishbowl.madduck.net> <Pine.LNX.4.32.0111291627270.19291-100000@server.murcott.net> <20011129044013.H26177@fishbowl.madduck.net> <[🔎] 20011202125938.M7108@wiggy.net> <[🔎] 20011202193348.E4667@fishbowl.madduck.net> <[🔎] 20011202223001.C32253@wiggy.net> <[🔎] 20011202230504.A27778@fishbowl.madduck.net> <[🔎] 3C0BB30F.905E2927@nu.no> <[🔎] 20011203131545.A930@rivet>

Thanks to all who answered. I'm trying toanswer the question "is this
suspicious?" and if yes "what could "normal" explenations be?

All help is highly appreciated :)

PS: I'm running CyrusImapd, I seem to remember that cyrus does not use pid,
could this be true? And would that be the answer to the question of what these 3
pids are? (nmap on my host returns notthing). 

Tarjei

Here's the output I got:
pid: 1 init [3]
pid: 1001 lsarpcd-D
pid: 1003 srvsvcd-D
pid: 1005 winregd-D
pid: 1007 wkssvcd-D
pid: 1010 spoolssd-D
pid: 1027 svcctld-D
pid: 1050
/bin/sh/usr/local/mysql/bin/safe_mysqld--basedir=/usr/local/mysql--log=/usr/local/mysql/var/mail.log
pid: 1072
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 1074 smbd-D
pid: 10748 CROND
pid: 10752
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 1076 nmbd-D
pid: 1079
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 1080
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 10873 /usr/sbin/slapd-uldap-hldap:/// ldaps:///
pid: 10912 CROND
pid: 10916
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 111 
pid: 11162 /usr/cyrus/bin/master
pid: 1117 /sbin/mingettytty2
pid: 1118 /sbin/mingettytty3
pid: 1119 /sbin/mingettytty4
pid: 1120 /sbin/mingettytty5
pid: 1121 /sbin/mingettytty6
pid: 11490 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 11623 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 1755 smbd-D
pid: 2 
pid: 2020 CROND
pid: 2024
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 22970 CROND
pid: 22974
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 23690 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 2445 /usr/local/apache/bin/httpd-DSSL
pid: 2448
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 2488 smbd-D
pid: 2491 CROND
pid: 2495
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 25175 /usr/local/apache/bin/httpd-DSSL
pid: 25176 /usr/local/apache/bin/httpd-DSSL
pid: 25177 /usr/local/apache/bin/httpd-DSSL
pid: 25178 /usr/local/apache/bin/httpd-DSSL
pid: 25179 /usr/local/apache/bin/httpd-DSSL
pid: 25180 /usr/local/apache/bin/httpd-DSSL
pid: 25236 named-unamed
pid: 25239 named-unamed
pid: 25240 named-unamed
pid: 25241 named-unamed
pid: 25242 named-unamed
pid: 2525 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 25279 /usr/local/apache/bin/httpd-DSSL
pid: 2546 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 26085 /usr/local/apache/bin/httpd-DSSL
pid: 27478 CROND
pid: 27482
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 28045 ./kavdaemon-dl-MP-Y-V-*-f=/ctl/tst
pid: 28131 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 2937 /usr/cyrus/bin/imapd
pid: 3 
pid: 30278 smbd-D
pid: 30442
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30443
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30444
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30445
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30446
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30449
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30451
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30452 /usr/local/apache/bin/httpd-DSSL
pid: 30466
/usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log
pid: 30651 CROND
pid: 30655
/usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
pid: 31632 smbd-D
pid: 31665 /usr/cyrus/bin/imapd-s
pid: 31742 /usr/sbin/sendmail-FCronDaemon-i-odi-oemadmin@mail.nu.no
pid: 31825 smbd-D
pid: 31864 /usr/cyrus/bin/imapd-s
pid: 4 
pid: 4065 qmgr-l-tfifo-u
pid: 4159 smbd-D
pid: 4188 /usr/cyrus/bin/imapd-s
pid: 429 
pid: 4358 /usr/sbin/sshd
pid: 4359 pickup-l-tfifo
pid: 4378 -bash
pid: 4407 su
pid: 4408 bash
pid: 4824 CROND
pid: 4826 /bin/bash/usr/bin/run-parts/etc/cron.hourly
pid: 4829 awk-vprogname=/etc/cron.hourly/sysstatprogname {
                                   print progname ":\n"
                                   progname="";
                               }
                               { print; }
pid: 4830 /bin/sh/usr/lib/sa/sa16006
pid: 4832 /usr/lib/sa/sadc6006/var/log/sa/sa03
pid: 494 syslogd-m0
pid: 4974 smbd-D
pid: 4979 smbd-D
pid: 4985 trivial-rewrite-nrewrite-tunix-u
pid: 499 klogd-2
pid: 5 
pid: 5008 /usr/cyrus/bin/imapd-s
pid: 5028 /usr/cyrus/bin/lmtpd
pid: 5032 smbd-D
pid: 5038 smtpd-nsmtp-tinet-u
pid: 5039 cleanup-tunix-u
pid: 5045 smtpd-nlocalhost:1025-tinet-u-ocontent_filter
pid: 5046 local-tunix
pid: 5047 local-tunix
pid: 5048 lmtp-tunix-u
pid: 5049 lmtp-tunix-u
pid: 5050 /usr/cyrus/bin/lmtpd
pid: 5184 /usr/cyrus/bin/imapd-s
pid: 6 
pid: 6934 /usr/bin/perl-w./mailgraph.pl-l/var/log/maillog
pid: 7857 /sbin/mingettytty1
pid: 7982 /usr/sbin/sshd
pid: 862 xinetd-stayalive-reuse-pidfile/var/run/xinetd.pid
pid: 9 
pid: 969 /usr/libexec/postfix/master
pid: 983 crond
pid: 990 smbd-D
pid: 992 nmbd-D
pid: 994 nmbd-D
pid: 995 netlogond-D
pid: 997 samrd-D
pid: 999 browserd-D

Robert Mognet wrote:
> 
> Hello,
> 
> On Mon, Dec 03, 2001 at 06:14:33PM +0100, Tarjei Huse wrote:
> >
> > How can I find these processes?
> 
> cd /proc
> for n in [0-9]* ; do echo -n "pid: "$n" "; cat $n/cmdline; echo; done
> 
> Hth
> Robert
> 
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: finding hidden processes
  - From: Robert Mognet <rmgnt@surfree.com>

References:
- Re: iptables with a linux bridge
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: iptables with a linux bridge
  - From: martin f krafft <madduck@madduck.net>
- Re: iptables with a linux bridge
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: iptables with a linux bridge
  - From: martin f krafft <madduck@madduck.net>
- finding hidden processes
  - From: Tarjei Huse <tarjei@nu.no>
- Re: finding hidden processes
  - From: Robert Mognet <rmgnt@surfree.com>

Prev by Date: Re: finding hidden processes
Next by Date: Rãspuns: finding hidden processes
Previous by thread: Re: finding hidden processes
Next by thread: Re: finding hidden processes
Index(es):
- Date
- Thread