0

I saw a command called 'sshd' that is using the BASH command (according to ps aux) to write to a file. But how to locate the code of this application that is using the bash command?

Anthon
  • 79,293
Jidrick
  • 189

1 Answers1

1

The sshd is the daemon for ssh. It is the receptive end of an (often) remote session. So the user or application communicating with the sshd will be driving bash command.

E.g. when I ssh into my server with ssh root@server, I get a bash prompt and when I then type pstree -pa I will get (excerpt):

  ├─sshd,789 -D
  │   ├─sshd,9306    
  │   │   └─bash,9488
  │   │       └─pstree,9547 -pa

So there might not be code that is using the bash command in a file on your system. I can however look in /var/log/auth.log (as @slm indicate on CentOS this info is normally /var/log/secure) and see:

Feb 19 05:37:38 owl sshd[9558]: Accepted publickey for root from 192.168.0.101 port 52628 ssh2
Feb 19 05:37:38 owl sshd[9558]: pam_unix(sshd:session): session opened for user root by (uid=0)

Which tells me the IP address of the machine where the ssh connection originated.

Anthon
  • 79,293
  • There is no /var/log/auth.log on RH distros, they use /var/log/secure and it typically contains slightly different things, but otherwise this A is correct. – slm Feb 19 '14 at 04:44
  • @slm had not not noticed the centos until I read the other posts by OP – Anthon Feb 19 '14 at 04:46