Jump into vmcore analysis – Step 7

If the vmcore was generated by human and you want to check who actually was, you might need to check the related process.

There are various options in ‘ps’ command, so, you would be able to check it with below steps.

crash> ps -a 6326
PID: 6326   TASK: ffff810402165820  CPU: 1   COMMAND: "fuser"
ARG: fuser /var/mcm/ 
ENV: HOSTNAME=myhost
     SHELL=/bin/bash
     TERM=xterm
     HISTSIZE=5000
     HISTFILESIZE=5000
     USER=root
     LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
     MAIL=/var/spool/mail/root
     PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/lpp/mmfs/bin
     INPUTRC=/etc/inputrc
     PWD=/root
     LANG=en_US.UTF-8
     SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
     SHLVL=1
     HOME=/root
     LOGNAME=root
     LESSOPEN=|/usr/bin/lesspipe.sh %s
     G_BROKEN_FILENAMES=1

 
crash> ps -p 6326
PID: 0      TASK: ffffffff80319b60  CPU: 0   COMMAND: "swapper"
 PID: 1      TASK: ffff8104c007b040  CPU: 10  COMMAND: "init"
  PID: 8002   TASK: ffff8108fffca0c0  CPU: 11  COMMAND: "sshd"
   PID: 21526  TASK: ffff81042ee027e0  CPU: 1   COMMAND: "sshd"
    PID: 21528  TASK: ffff8104342f1080  CPU: 3   COMMAND: "sshd"
     PID: 21529  TASK: ffff81041c276040  CPU: 1   COMMAND: "ksh"
      PID: 21609  TASK: ffff8104432b9820  CPU: 1   COMMAND: "bash"
       PID: 21631  TASK: ffff8104342db7e0  CPU: 13  COMMAND: "sudo"
        PID: 21632  TASK: ffff8108d5300820  CPU: 9   COMMAND: "su"
         PID: 21633  TASK: ffff810440c22820  CPU: 2   COMMAND: "bash"
          PID: 6326   TASK: ffff810402165820  CPU: 1   COMMAND: "fuser"
 
crash> ps -a 21609
PID: 21609  TASK: ffff8104432b9820  CPU: 1   COMMAND: "bash"
ARG: bash 
ENV: _=*21529*/bin/bash
     G_BROKEN_FILENAMES=1
     HISTSIZE=1000
     HOME=/home/sungju
     HOSTNAME=myhost
     INPUTRC=/etc/inputrc
     LANG=en_US.UTF-8
     LESSOPEN=|/usr/bin/lesspipe.sh %s
     LOGNAME=sungju
     LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
     MAIL=/var/spool/mail/sungju
     PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin
     PWD=/home/sungju
     SHELL=/usr/bin/ksh
     SHLVL=1
     SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
     SSH_CLIENT=10.XXX.XXX.XX 58194 22
     SSH_CONNECTION=10.XXX.XXX.XX 58194 XX.XX.XXX.XX 22
     SSH_TTY=/dev/pts/2
     TERM=xterm
     USER=sungju
     A__z="*SHLVL

From above you can see that ssh was via the IP in ‘SSH_CLIENT’ value. So, you can point who was it by checking ‘USER’ variable. In this case, the user ‘sungju’ who came through ’10.XXX.XXX.XX’ had initiated ‘fuser’ after change to ‘root’.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.