Processes in the last 24 hrs...

[BIS]

Hello,

I have a small question.

I have a box from which I am pretty certain a process is running once a day that ftp's a file to another server. This is done via some sort of script as I can see nothing in the cron-tab (I have root access).

Is there a command that will show me what processes have run in the last 24 hours so I can nail down the script?

Many thanks in advance.

 

[jad]

do you know which user it is run as?
do you think it is directly run from cron?

i haven't yet found any process watching commands that will show previous processes ...
the who command only tells you who and where and at what time a connection was made ... but i believe that works off login's not cron/at/script commands.

you could get hold of a processor watcher and run it, but if the process doesn't exist for long then you may not spot it.

if it is mailing a file you don't want sent, you could put a delay on the mail queue at night, and get it to flush later.

if it's a cron command and you know the time, you could look in /var/cron/log ... or look at /var/spool/cron/crontabs/* or /var/spool/cron/atjobs/*

 

[BIS]

It is not run as cron thats for sure. I am also sure it is sending a file via ftp (which is good - it is supposed to).
I didn't write the scripts, so I have no idea when and how the file gets from server a to server b - only that on server b I receive the file via ftp.

What I was hoping was to scroll through everything that happened in the last 24 hours so as to find the script that does the ftp transfer. Would there be a log of this somewhere perhaps?

 

[KenCunningham]

Could it be that the script is actually on the other server and is run from that machine's crontab, pulling the file rather than pushing it?

 

[jad]

you could set up the ftpd with the -l flag to log processes ...

 

[BIS]

unfortunately no....

:-(

 

[jad]

no? do you not have sys privs? or is it due to lots of ftp traffic? ...

 

[BIS]

jad - could you tell me how to do that (sorry if I come across as a moron).

 

[jad]

ahh, ok ...

in /etc/inetd.conf there is a line with in.ftpd

there should be a line that goes something like:

ftp     stream  tcp     nowait  root     /usr/sbin/in.ftpd    in.ftpd

change it to:

ftp     stream  tcp     nowait  root     /usr/sbin/in.ftpd    in.ftpd -l

then restart inetd ...

pkill -HUP inetd

then you will get messages in /var/log/syslog ...

there will be lots though.

 

[BIS]

jad - the no was to KenCunningham's question. I would like to set up the log file. just not sure how to ...

 

[jad]

the ftp thing only logs incoming ftp sessions.

if you wanted to record the outgoing sessions you would have to change the ftp daemon on the other machine.

 

[BIS]

Man - we are all typing at the same time! What an amazing forum this - and thank you , I am greatful for the help.

Hmm, as this is outgoing I am stuck again. I could do it on the other machine, but as the whole point is to try to find out what script is doing the ftp that wouldn't be much help...

If i get the time stamp from the other machine, and then set up cron to do something like ps -ef at the time, and pipe this to a file, would ps show the process running?

 

[KenCunningham]

BIS, that seems to be one solution anyway - I'd set your cron for ps to run every minute for, say, 10 minutes before and after the timestamp of the file. HTH.

 

[jad]

possibly ... but only possibly ... ps acts quickly ... but then again so might the ftp program ...

and as Ken said it might be fetching from the other machine, or even doing an rsh and piping the files across.

 

[KenCunningham]

Incidentally, if you need smaller increments than cron can manage (ie 1 minute), write a little script as follows and execute this though cron every minute, replacing the 30 with whatever number of seconds you wish. That should give you more of a chance of 'catching' the process in question:

ps -ef >> pslist
sleep 30
ps -ef >> pslist

Cheers

 

[KenCunningham]

Don't mean to state the obvious concerning my last post, but if you altered the interval, you would also need to add further sleep and ps commands appropriately. Then again, there's always loops!

 

[jad]

if you were feeling sneaky, you could do a ps earlier than you wanted, then just do incremental diffs to a file ...

 

[KenCunningham]

Sneaky? Hey, that's what I call working smart not hard

 

[jad]

you would of course have to remove ps's and grep's from the process list before you diff'ed

 

[Annihilannic]

Why not move your /usr/bin/ftp binary aside, and replace it with a script containing:

[tt]/usr/proc/bin/ptree $$ > /tmp/ptree.out[/tt]

That would show you how it's being called in a jiffy. Annihilannic.