I saw a command called 'sshd' that is using the BASH command (according to ps aux
) to write to a file. But how to locate the code of this application that is using the bash
command?
Asked
Active
Viewed 54 times
0
-
possible duplicate of Is there an easy way to check which program wrote to /var/log/messages? – phemmer Feb 19 '14 at 05:22
-
Is this machine in a cluster? Standalone or in an office? Are you the only user? – Anthon Feb 19 '14 at 05:34
1 Answers
1
The sshd
is the daemon for ssh. It is the receptive end of an (often) remote session. So the user or application communicating with the sshd
will be driving bash
command.
E.g. when I ssh
into my server with ssh root@server
, I get a bash
prompt and when I then type pstree -pa
I will get (excerpt):
├─sshd,789 -D
│ ├─sshd,9306
│ │ └─bash,9488
│ │ └─pstree,9547 -pa
So there might not be code that is using the bash command in a file on your system. I can however look in /var/log/auth.log
(as @slm indicate on CentOS this info is normally /var/log/secure
) and see:
Feb 19 05:37:38 owl sshd[9558]: Accepted publickey for root from 192.168.0.101 port 52628 ssh2
Feb 19 05:37:38 owl sshd[9558]: pam_unix(sshd:session): session opened for user root by (uid=0)
Which tells me the IP address of the machine where the ssh
connection originated.

Anthon
- 79,293
-
There is no
/var/log/auth.log
on RH distros, they use/var/log/secure
and it typically contains slightly different things, but otherwise this A is correct. – slm Feb 19 '14 at 04:44 -