| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: finding how a process got started
On Aug 14, 2:36 pm, EdStevens <quetico_..._at_yahoo.com> wrote:
> Platform: Oracle 10.2.0.2.0 on HP-UX B.11.11
>
> Posting to comp.unix.admin, comp.databases.oracle.server
>
> A few weeks ago we began noticing that the .sh_history file for
> 'oracle' was being flooded with entries like this:
>
> echo Start Command; LC_ALL=C;export LC_ALL;netstat -i; echo Finish
> Command
>
> It was very annoying to be working and suddenly have your last command
> pushed way back up the line by this, but no one could account for it.
>
> Then, yesterday while running down some active procedures (unrelated
> issue) I noticed this:
>
> oracle> ps -ef |grep exp|grep -v grep
> oracle 2803 2792 0 07:38:45 ? 0:00 sh -c LC_ALL=C;export
> LC_ALL;vmstat 15
>
> Hmm, looks very much like what we are seeing in the history file.
> Chasing the lineage of the pids, I was able to construct this chain:
>
> root 985 1 0 Jun 21 ? 40:08 /opt/ssh/sbin/sshd
> root 2789 985 0 07:38:44 ? 0:00 sshd: oracle_at_notty
> <snip several children of 985>
> root 2792 985 0 07:38:44 ? 0:00 sshd: oracle_at_notty
> oracle 2803 2792 0 07:38:45 ? 0:00 sh -c LC_ALL=C;export
> LC_ALL;vmstat 15
> oracle 2808 2803 0 07:38:45 ? 0:00 vmstat 15
>
> Of interest are the first entry and the last three ... pids 1, 985,
> 2792, 2803, and 2808.
>
> I took this to our SA, hoping he could tell me where 985 came from and
> how it came to spawn 2792, but he hadn't a clue.
>
> Any ideas on how we can chase this down?
Surely this is just another user that has logged in as Oracle and issued some commands. The ssh logs may tell you the source IP of the person who logged in.
If you use bash as your shell I don't think the two histories mix up like that. Received on Tue Aug 14 2007 - 09:53:58 CDT
 |
 |