Intruders and worms sometimes leave behind running programs. Finding unusual processes can give you an idea of what the intruder or worm did to your system. Having a good idea of what's usually running on your system helps you determine whether a process is supposed to be there. We suggest keeping a hard or soft copy of a list of your normal running processes someplace safe, yet accessible, in case it's needed.
The command to use under Unix and Linux to pull up a running process list is the ubiquitous ps command. While the ps command itself comes standard with every version of Unix and Linux, the syntax of the command can vary from system to system (even Linux system to Linux system) depending on whether the installed version of ps follows BSD-style syntax or Unix SysV-style syntax. Some modern versions of ps support both syntaxes.
The following ps commands show you a complete process list, along with the user the process is running as and the time the process started. If you're not sure which syntax your ps supports, it doesn't hurt to try both and see which one produces the output you need.
When using a ps that supports the BSD-style syntax, type the following at the command prompt:
When using a ps that supports the SysV-style syntax, type the following at the command prompt:
Look for any processes that seem out of the ordinary and write down or otherwise capture the information you find, along with the date and time you obtained the information. Be sure to note the time that any suspicious process started and see whether it matches the time that you believe your system was attacked. Also note which user the process is running as.
Was this article helpful?