Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Show hidden processes


Show hidden processes




Posted by eduardosilvestre, 11-17-2008, 10:03 AM
Show hidden processes Hello Guys, how can i discover hidden processes running? Already running rkhunter, chrootkit. [root@kenny ~]# ps auxfww USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND Segmentation fault [root@kenny ~]# This just appen when i use flag "f = --full". Some running process causing this. Regards,
Posted by david510, 11-17-2008, 10:34 AM
Try below, ps auxfn __________________ Davidhttp://cliffsupport.com "Where support matters"
Posted by vburke, 11-17-2008, 10:36 AM
I seriously doubt any running process that you're asking ps to display is causing this. This is a bug in the ps command itself. Vern __________________ Swiftwater Telecom: Experience, Support, and Value Makes the Difference! Data Center, Server Hosting, Colocation Services http://www.swiftwatertel.com/dedicat...olocation.html Now offering Virtual Private Servers!http://www.swiftwatertel.com/dedicat...te-server.html
Posted by eduardosilvestre, 11-17-2008, 11:37 AM
No lucky [root@kenny ~]# ps auxfn USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND Segmentation fault [root@kenny ~]#
Posted by david510, 11-17-2008, 11:43 AM
What does this return? tail -500 /var/log/messages | grep error __________________ Davidhttp://cliffsupport.com "Where support matters"
Posted by eduardosilvestre, 11-17-2008, 11:48 AM
Show this: Nov 16 17:47:19 kenny kernel: 211.131.73.116 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:21 kenny kernel: 211.13.136.13 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:21 kenny kernel: 211.127.122.235 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:21 kenny kernel: 211.127.123.38 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:28 kenny kernel: 221.184.7.80 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:29 kenny kernel: 211.120.83.133 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:31 kenny kernel: 211.120.88.3 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:35 kenny kernel: 222.146.44.72 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:35 kenny kernel: 211.127.122.133 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:36 kenny kernel: 122.1.213.75 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:38 kenny kernel: 211.120.82.3 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:39 kenny kernel: 211.120.69.8 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:43 kenny kernel: 210.143.240.38 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:46 kenny kernel: 211.131.73.85 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:46 kenny kernel: 60.37.36.100 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:50 kenny kernel: 211.126.69.228 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Nov 16 17:47:54 kenny kernel: 218.43.243.74 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0 Regards
Posted by david510, 11-17-2008, 01:01 PM
You can try rebooting the server during of peak time and see if that solve the issue of segmentation fault. __________________ Davidhttp://cliffsupport.com "Where support matters"
Posted by eduardosilvestre, 11-17-2008, 01:04 PM
I already do that no sucess.
Posted by jphilipson, 11-17-2008, 01:18 PM
Here's what I do to find hidden processes... cd /proc for i in `seq 1 33000`; do test -d $i done If your server is hacked and your processes are hidden they won't show up with the top or ps command etc... the command above will still show everything running I'd run a memtest and a drivetest as well if you are getting that segfault error... __________________I perform System Administration
Posted by eduardosilvestre, 11-17-2008, 01:26 PM
Seems to be hacked. Output: lrwxrwxrwx 1 root root 0 Nov 17 15:49 1/exe -> /sbin/init ls: cannot read symbolic link 2/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 2/exe ls: cannot read symbolic link 3/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 3/exe ls: cannot read symbolic link 4/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 4/exe ls: cannot read symbolic link 5/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 5/exe ls: cannot read symbolic link 18/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 18/exe ls: cannot read symbolic link 19/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 19/exe ls: cannot read symbolic link 36/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 36/exe ls: cannot read symbolic link 37/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 37/exe ls: cannot read symbolic link 38/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 38/exe ls: cannot read symbolic link 39/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 39/exe ls: cannot read symbolic link 185/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 185/exe ls: cannot read symbolic link 422/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 422/exe ls: cannot read symbolic link 1092/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 1092/exe lrwxrwxrwx 1 root root 0 Nov 17 15:49 1621/exe -> /sbin/udevd ls: cannot read symbolic link 1852/exe: No such file or directory lrwxrwxrwx 1 root root 0 Nov 17 15:49 1852/exe lrwxrwxrwx 1 root root 0 Nov 17 15:50 2287/exe -> /sbin/syslogd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2291/exe -> /sbin/klogd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2318/exe -> /sbin/portmap lrwxrwxrwx 1 root root 0 Nov 17 15:50 2354/exe -> /usr/sbin/rpc.idmapd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2420/exe -> /usr/sbin/smartd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2429/exe -> /usr/sbin/acpid lrwxrwxrwx 1 root root 0 Nov 17 15:50 2468/exe -> /usr/sbin/sshd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2481/exe -> /usr/sbin/xinetd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2503/exe -> /usr/lib/courier-imap/couriertcpd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2505/exe -> /usr/sbin/courierlogger lrwxrwxrwx 1 root root 0 Nov 17 15:50 2515/exe -> /usr/lib/courier-imap/couriertcpd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2517/exe -> /usr/sbin/courierlogger lrwxrwxrwx 1 root root 0 Nov 17 15:50 2525/exe -> /usr/lib/courier-imap/couriertcpd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2527/exe -> /usr/sbin/courierlogger lrwxrwxrwx 1 root root 0 Nov 17 15:50 2536/exe -> /usr/lib/courier-imap/couriertcpd lrwxrwxrwx 1 root root 0 Nov 17 15:50 2538/exe -> /usr/sbin/courierlogger lrwxrwxrwx 1 qmails qmail 0 Nov 17 15:50 2550/exe -> /var/qmail/bin/qmail-send lrwxrwxrwx 1 qmaill nofiles 0 Nov 17 15:50 2552/exe -> /var/qmail/bin/splogger lrwxrwxrwx 1 root qmail 0 Nov 17 15:50 2553/exe -> /var/qmail/bin/qmail-lspawn lrwxrwxrwx 1 qmailr qmail 0 Nov 17 15:50 2554/exe -> /var/qmail/bin/qmail-rspawn lrwxrwxrwx 1 qmailq qmail 0 Nov 17 15:50 2555/exe -> /var/qmail/bin/qmail-clean lrwxrwxrwx 1 root root 0 Nov 17 15:51 2577/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 15:51 2585/exe -> /usr/sbin/httpd lrwxrwxrwx 1 named named 0 Nov 17 15:51 2607/exe -> /usr/sbin/named lrwxrwxrwx 1 named named 0 Nov 17 16:32 2608/exe -> /usr/sbin/named lrwxrwxrwx 1 named named 0 Nov 17 16:32 2609/exe -> /usr/sbin/named lrwxrwxrwx 1 named named 0 Nov 17 16:32 2610/exe -> /usr/sbin/named lrwxrwxrwx 1 root root 0 Nov 17 15:51 2672/exe -> /bin/bash lrwxrwxrwx 1 root root 0 Nov 17 15:51 2705/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2719/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2720/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2721/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2722/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2725/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2726/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2727/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2728/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 root root 0 Nov 17 16:32 2729/exe -> /usr/libexec/mysqld lrwxrwxrwx 1 postgres postgres 0 Nov 17 15:51 2787/exe -> /usr/bin/postgres lrwxrwxrwx 1 postgres postgres 0 Nov 17 15:51 2836/exe -> /usr/bin/postgres lrwxrwxrwx 1 postgres postgres 0 Nov 17 15:51 2837/exe -> /usr/bin/postgres lrwxrwxrwx 1 root root 0 Nov 17 15:51 2884/exe -> /usr/bin/perl lrwxrwxrwx 1 root root 0 Nov 17 15:51 2909/exe -> /usr/bin/perl lrwxrwxrwx 1 root root 0 Nov 17 15:51 2910/exe -> /usr/bin/perl lrwxrwxrwx 1 root root 0 Nov 17 15:51 2970/exe -> /usr/local/psa/admin/bin/httpsd lrwxrwxrwx 1 root root 0 Nov 17 15:51 2974/exe -> /usr/local/psa/admin/bin/httpsd lrwxrwxrwx 1 root root 0 Nov 17 15:51 3003/exe -> /usr/sbin/sshd lrwxrwxrwx 1 root root 0 Nov 17 15:51 3005/exe -> /bin/bash lrwxrwxrwx 1 root root 0 Nov 17 16:23 3300/exe -> /usr/local/psa/admin/bin/httpsd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3311/exe -> /opt/drweb/drwebd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3312/exe -> /opt/drweb/drwebd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3313/exe -> /opt/drweb/drwebd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3315/exe -> /opt/drweb/drwebd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3318/exe -> /opt/drweb/drwebd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3332/exe -> /usr/sbin/atd lrwxrwxrwx 1 root root 0 Nov 17 16:23 3341/exe -> /usr/bin/dbus-daemon-1 lrwxrwxrwx 1 root root 0 Nov 17 16:23 3350/exe -> /usr/sbin/hald lrwxrwxrwx 1 root root 0 Nov 17 16:23 3458/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3467/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3468/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3469/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3470/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3471/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3472/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3473/exe -> /usr/bin/python lrwxrwxrwx 1 mailman mailman 0 Nov 17 16:23 3474/exe -> /usr/bin/python lrwxrwxrwx 1 root root 0 Nov 17 16:23 3496/exe -> /usr/bin/buagent lrwxrwxrwx 1 root root 0 Nov 17 16:23 3512/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 3513/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 3514/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 3515/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 3516/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 3517/exe -> /sbin/mingetty lrwxrwxrwx 1 root root 0 Nov 17 16:23 4400/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:23 5453/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:23 5454/exe -> /usr/sbin/sshd lrwxrwxrwx 1 root root 0 Nov 17 16:23 5510/exe -> /bin/bash lrwxrwxrwx 1 root root 0 Nov 17 16:23 6903/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:23 6904/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:23 6905/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:23 9051/exe -> /bin/bash lrwxrwxrwx 1 root root 0 Nov 17 16:32 12763/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12766/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12774/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12789/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12795/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12796/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12797/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12811/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12822/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12825/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12827/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12829/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12832/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12833/exe -> /usr/sbin/httpd lrwxrwxrwx 1 root root 0 Nov 17 16:32 12834/exe -> /usr/sbin/httpd Regards,


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
[Review ]ethProxy solution against DDoS attacks (Views: 710)
NOT a monthly payment server management company ? (Views: 693)
hacked via brute force sshd ? (Views: 718)
Reseller recommendations? (Views: 692)
SpamAssassin & Comcast Mail (Views: 701)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.