I saw a command called 'sshd' that is using the BASH command (according to ps aux) to write to a file. But how to locate the code of this application that is using the bash command?
Asked
Active
Viewed 54 times
0
-
possible duplicate of Is there an easy way to check which program wrote to /var/log/messages? – phemmer Feb 19 '14 at 05:22
-
Is this machine in a cluster? Standalone or in an office? Are you the only user? – Anthon Feb 19 '14 at 05:34
1 Answers
1
The sshd is the daemon for ssh. It is the receptive end of an (often) remote session. So the user or application communicating with the sshd will be driving bash command.
E.g. when I ssh into my server with ssh root@server, I get a bash prompt and when I then type pstree -pa I will get (excerpt):
├─sshd,789 -D
│ ├─sshd,9306
│ │ └─bash,9488
│ │ └─pstree,9547 -pa
So there might not be code that is using the bash command in a file on your system. I can however look in /var/log/auth.log (as @slm indicate on CentOS this info is normally /var/log/secure) and see:
Feb 19 05:37:38 owl sshd[9558]: Accepted publickey for root from 192.168.0.101 port 52628 ssh2
Feb 19 05:37:38 owl sshd[9558]: pam_unix(sshd:session): session opened for user root by (uid=0)
Which tells me the IP address of the machine where the ssh connection originated.
Anthon
- 79,293
-
There is no
/var/log/auth.logon RH distros, they use/var/log/secureand it typically contains slightly different things, but otherwise this A is correct. – slm Feb 19 '14 at 04:44 -