Nov00: Strangers In the Night


(a)
 wsbs03# ps axu
 USER       PID %CPU    %MEM    VSZ   RSS  TT  STAT    STARTED   TIME COMMAND
 ...other processes...
 root    12823   0.0     0.0     48      0 ?     IW      23:02   0:00 <defunct>

(b)
COMMAND    PID  USER    FD      TYPE   DEVICE     SIZE/OFF      INODE  NAME
<defunct> 12823 root    cwd     VDIR    130,0      512          90633  / 
<defunct> 12823 root    T00     VREG    130,0      32768        93828  /
<defunct> 12823 root    T01     VREG    130,2      24576        86893  /usr
<defunct> 12823 root    T02     VREG    130,2      516096       86862  /usr 
<defunct> 12823 root    T03     VREG    130,0      4096         95539  /
<defunct> 12823 root    T04     VREG    130,2      40960        86955  /usr
<defunct> 12823 root    3u      inet  0xff64e08c   0x0          TCP    *:5120
<defunct> 12823 root    4r      VREG    130,4      623          64258  /usr/share

Figure 2: (a) An intruder process that was running with super-user privileges; (b) using the lsof command.

Back to Article