SUMMARY: ps does not show root processes

From: Serkan Cil (cil@bilkent.edu.tr)
Date: Wed Jan 18 1995 - 21:06:08 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The question was:

> everything was fine but one day the "ps" command began not to show
> only the processes owned by root. I can see all other processes owned
> by eg. bin but root. Unfortunately I don't know what has changed.
> Anyone encountered the same problem before? I will apreciate your
> help on the matter,

Solutions offered are:

>From jonh@hitl.washington.edu Mon Jan 9 17:14:43 1995

Just a guess, but are there multiple versions of ps on your system? (Like
a /usr/bin/ps, and a /usr/ucb/ps, or something) I just ask, because maybe
just your path changed, and the different version you're now using is
only reporting processes owned by the calling user. (guessing. :v)

---

>From elfchief@lupine.org Sat Jan 7 18:17:30 1995

Assuming you're using the propper flags (ps -aux), if 'ps' still isn't showing all processes, you have a problem. My #1 guess would be that you somehow got a hacker into your system who modified the 'ps' binary to not show certain processes.

Make a backup copy of /usr/kvm/ps (so you can have a record of it), and reinstall your 'ps' command from old backups (you do have backups, right?) or from CD-ROM (even better) (or tape if that's where your original distribution came from). Give it a try then, and see what results you get. If you get full listings again, then someone has indeed been mucking around on your system. If THAT is the situation, I'd suggest hiring a security consultant to figure out what's going on.

If you can restore your copy of /usr/kvm/ps and still have the problem, then I'm not sure WHAT to tell you. Since 'ps' gets it's information by going directly to the kernel itself, I can think of very little that would keep it from working propperly.

---- >From kevin@uniq.com.au Sat Jan 7 14:29:45 1995

Why are you still running 4.1?? I'd say an upgrade was in order to start with...

--- >From raoul@MIT.EDU Sat Jan 7 12:12:58 1995

Check if someone has corrupted your ps binaries: some cracker's alter such basic programs to hide themselves from detection. Restore it from the distribution if necessary, or better yet install sps, available at various ftp sites, that gives ps information in much more usable format.

---

I solved the problem: ps binary had changed by a hacker. I used the original ps binary, and it did well.

Thanks to all who responded.

Serkan.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:14 CDT