LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-14-2005, 07:54 PM   #1
JerryMcFarts
Member
 
Registered: Mar 2004
Location: Ohio, USA
Distribution: Ubuntu 6.04
Posts: 117

Rep: Reputation: 15
TOP, showing a program i don't believe i started


Hi, I was currently on my server and it was running slow. so i ssh'ed into it and ran top. This is what looks like is slowing it down.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7996 root 25 0 6996 4636 1404 R 98.9 3.7 12407:50 john


I haven't been watching my server lately because i have been involved in a computer project, and so I don't know if someone else started this program or if i did before i started on this other project.

I am newb and so I thought starting a server so that i could learn as much as i could. Well along with learning, i wanted to learn more on security, and im learning slowly, just figuring out about logs and such. but still don't really know what to make from them. But I had before i moved onto this other project installed John The Ripper Password cracker and I was cracking my own passwords to see how good they were. Well It looks like that program has been running for a while. 12407 but that is clock cycles of use so i don't really know how much time that is. I have been on this other project for about 7 days now.

What i would like to know is this:

How do i figure when this program was started. What time and what day.
How do i figure out what this program is, if it is john the ripper or not.
How do i figure out what the program is doing, and where its out put is.

I personally don't want to stop the process if my system got cracked because i would alert the cracker stopping his program. But I do believe that its just myself lol :-P I would like to figure out what its doing and make sure that im safe before i just go along my business thinking my server is still secure.
 
Old 04-14-2005, 08:08 PM   #2
JerryMcFarts
Member
 
Registered: Mar 2004
Location: Ohio, USA
Distribution: Ubuntu 6.04
Posts: 117

Original Poster
Rep: Reputation: 15
sweet

so I found out that the TIME + is actually real time. I thought it was just computation time. Ok so i found out that it happened 8 days ago. Which is good because that is about the time i was messing around with john the ripper.

I started up another john the ripper, and in top it was also named john.

So i found out what program it is. Now i started this program through ssh, and i believed that when i logout of the ssh session that all the programs that i started sign off with my account.. is this wrong? Because i didn't have a ssh open and john the ripper was still running without a user.. is this normal?

thanks so much for reading this,
Bryon
 
Old 04-14-2005, 10:58 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It depends on how you ran john. If you simply run it in ssh as john <passwd_file>, then the john process will die when you exit the shell. If you background the process (by running john with the '&' option or otherwise send the process to the background), then the john process will stay alive and run under init.

There is a really good way to look at this, just estabilsh 2 ssh sessions. In one run john and in the other use the pstree command to visuallize the context in which each process is running. Then try running john (just as john <password_file> and then as john <password_file> & ). Then log out of the ssh session that you've executed john in and then watch what happens to the process in the pstree output.
 
Old 04-19-2005, 11:09 PM   #4
JerryMcFarts
Member
 
Registered: Mar 2004
Location: Ohio, USA
Distribution: Ubuntu 6.04
Posts: 117

Original Poster
Rep: Reputation: 15
Hey I tried what you were telling me about with pstree, but my pstree is corrupt or not working right, shows really weird stuff. I used top to show that the & put it in a background process, which is cool. I am reading the manual :-) but how i bring the program back to the foreground?

i remember back in class i was messing around with the ps command and some how putting things back and forth with it, but i haven't used that in a while, so im reading to bring my memory back.

but top showed everything that you were showing me :-P
 
Old 04-20-2005, 02:37 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Play around with the 'fg' and 'jobs' commands. The jobs command shows the various processes and their status, while fg will bring a suspended or backgrounded job to the foreground. For multiple backgrounded jobs, use 'fg N' , where N is the id reported by the output of 'jobs'.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
system("top") in a C program giving problems when the C prg is run by cron rags2k Programming 1 09-02-2004 04:25 PM
Individual CPU usage not showing in ps/top hulli Linux - General 2 08-24-2004 03:44 AM
VNC showing plain X w/ no desktop when vncserver started by non-root user jboo Linux - Software 6 02-08-2004 05:45 AM
started program in failsafe, can't get out not_hed Red Hat 8 10-01-2003 12:53 AM
Top command showing 2 users ShadowMan Linux - Newbie 2 08-15-2003 02:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration