pstree: Viewing the Process Tree

Every Unix process has an associated parent process. Normally, this information is displayed as a form similar to the display of the PPID field output by the ps command. The pstree command uses this information to draw a graph of all of the processes currently running.

During a break-in, the process tree can be very useful for understanding which processes were launched by the attacker and which are innocent processes that happen to be running on the same system.

With the -u option, the pstree command will show UID transitions—that is, when one process has a child that is executing under a separate UID. Another useful option is -a, which shows the entire command line that was executed. For a list of all the options, see the documentation.

Here is an example of the output of the pstree program:

% pstree -u
init-+-arpwatch
     |-cron
     |-dhcpd
     |-gdomap(nobody)
     |-8*[getty]
     |-httpd---11*[httpd(http)]
     |-inetd-+-imapd(simsong)
     |       `-sslwrap
     |-lpd
     |-master-+-2*[bounce(postfix)]
     |        |-cleanup(postfix)
     |        |-flush(postfix)
     |        |-local(postfix)
     |        |-pickup(postfix)
     |        |-qmgr(postfix)
     |        |-2*[smtp(postfix)]
     |        |-smtpd(postfix)
     |        |-tlsmgr(postfix)
     |        `-trivial-rewrite(postfix)
     |-mountd
     |-moused
     |-named
     |-nfsd---4*[nfsd]
     |-4*[nfsiod]
     |-nmbd---nmbd
     |-ntpd
     |-portmap(daemon)
     |-pwcheck
     |-rpc.statd
     |-rwhod(daemon)
     |-setiathome(nobody)
     |-slapd
     |-smbd---smbd(beth)
     |-snmpd
     |-sshd-+-sshd---tcsh(simsong)---pstree
     |      |-sshd---tcsh(simsong)---tcsh(root)
     |      `-sshd---tcsh(simsong)
     |-syslogd
     `-usbd

The boldfaced line near the end of this output shows that init (executing as root) spawned an sshd process (executing as root). This process forks a child (still root-owned in this case) for each incoming connection. When simsong logged into this sshd connection, it started up a shell (tcsh) owned by simsong, and simsong has apparently managed to start a root-privileged tcsh shell (perhaps with /bin/su, but if you don't expect simsong to have the root password, this is cause for concern)!