TOP, showing a program i don't believe i started
 

Hi, I was currently on my server and it was running slow. so i ssh'ed into it and ran top. This is what looks like is slowing it down.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7996 root 25 0 6996 4636 1404 R 98.9 3.7 12407:50 john


I haven't been watching my server lately because i have been involved in a computer project, and so I don't know if someone else started this program or if i did before i started on this other project.

I am newb and so I thought starting a server so that i could learn as much as i could. Well along with learning, i wanted to learn more on security, and im learning slowly, just figuring out about logs and such. but still don't really know what to make from them. But I had before i moved onto this other project installed John The Ripper Password cracker and I was cracking my own passwords to see how good they were. Well It looks like that program has been running for a while. 12407 but that is clock cycles of use so i don't really know how much time that is. I have been on this other project for about 7 days now.

What i would like to know is this:

How do i figure when this program was started. What time and what day.
How do i figure out what this program is, if it is john the ripper or not.
How do i figure out what the program is doing, and where its out put is.

I personally don't want to stop the process if my system got cracked because i would alert the cracker stopping his program. But I do believe that its just myself lol :-P I would like to figure out what its doing and make sure that im safe before i just go along my business thinking my server is still secure.

sweet
 

so I found out that the TIME + is actually real time. I thought it was just computation time. Ok so i found out that it happened 8 days ago. Which is good because that is about the time i was messing around with john the ripper.

I started up another john the ripper, and in top it was also named john.

So i found out what program it is. Now i started this program through ssh, and i believed that when i logout of the ssh session that all the programs that i started sign off with my account.. is this wrong? Because i didn't have a ssh open and john the ripper was still running without a user.. is this normal?

thanks so much for reading this,
Bryon

It depends on how you ran john. If you simply run it in ssh as john <passwd_file>, then the john process will die when you exit the shell. If you background the process (by running john with the '&' option or otherwise send the process to the background), then the john process will stay alive and run under init.

There is a really good way to look at this, just estabilsh 2 ssh sessions. In one run john and in the other use the pstree command to visuallize the context in which each process is running. Then try running john (just as john <password_file> and then as john <password_file> & ). Then log out of the ssh session that you've executed john in and then watch what happens to the process in the pstree output.

Hey I tried what you were telling me about with pstree, but my pstree is corrupt or not working right, shows really weird stuff. I used top to show that the & put it in a background process, which is cool. I am reading the manual :-) but how i bring the program back to the foreground?

i remember back in class i was messing around with the ps command and some how putting things back and forth with it, but i haven't used that in a while, so im reading to bring my memory back.

but top showed everything that you were showing me :-P

Play around with the 'fg' and 'jobs' commands. The jobs command shows the various processes and their status, while fg will bring a suspended or backgrounded job to the foreground. For multiple backgrounded jobs, use 'fg N' , where N is the id reported by the output of 'jobs'.