Suspicious activities on SSH. How do we decrypt these characters?

[email protected]

Well-Known Member
Mar 5, 2002
493
0
316
Los Angeles California
Hi guys,


I just did an strace on one of the SSH processes on my server and this is what I got. They look like octal codes to me.
How do we decrypt it to get something more meaningful?

[email protected] [~]# strace -p 22696
Process 22696 attached - interrupt to quit
select(13, [3 7], [], NULL, NULL
) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "\4\250\262\372\253\27*\222\323\307|\330[\227\0371i>}H\307\354\6\266\1779W\214\217\201\2748"..., 16384) = 68
write(3, "\346]\261\344\370\212\263\243\207\17\27\34\247\347t\221/Q\221\351\221VR\254P\364o\372\243\265P\245"..., 36) = 36
select(13, [3 7], [], NULL, NULL) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "]!A\250\22q1\357\350\211\217J\246\224<\251)#4\314\203DZ\245\244\273\25\221\205\312R\6"..., 16384) = 68
write(3, "\0064#=#L\206\357\24K\'(\365\343k\233,#BB\251\303Md3\270\227\365QL\25s"..., 36) = 36
select(13, [3 7], [], NULL, NULL) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "\'\350j\35\271\340W\216d\207\316\321<<\306\243\306B\35\[email protected](\302\212\227\203\266\2m"..., 16384) = 68
write(3, "\371\206\t.\r\330\312\300\1dW( 1\367\27\257\251\24\354\t\330\250\263}\275\214\177\215x\245$"..., 36) = 36
select(13, [3 7], [], NULL, NULL) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "\337\2439\247,ZD\364X\261s[\376\241\214\273\350\207\314\24i\213^\207\275\2424\257.P\355\16"..., 16384) = 68
write(3, "\320\300\307P&UwS0\334e8u\227p\317\261\335n6\16\327\24\220\375\4\0249mS\331\23"..., 36) = 36
select(13, [3 7], [], NULL, NULL) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "\371\260\225\225\364}\37\277D\24\320\207ZB\302\253a\253\246k\232\260\303\216\26[\240_\355L/\202"..., 16384) = 68
write(3, "i\346\177bN\372\233M\4\343\2512+\255\225\273\tW\275\241\3411\341h\21\202\225\361\230\252%\304"..., 36) = 36
select(13, [3 7], [], NULL, NULL) = 1 (in [3])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "\220\204C\234uD\332\260\35f\324\2712^\2337\253\252\34\323\vy\20\254\377\246\302\336\230\30\223\262"..., 16384) = 68
write(3, "\r\202\331\372Y\25p\33\357\347\367\251\307\305\312\21\275x\22\274c\314\333\354ak$\3668\320\267\372"..., 36) = 36
select(13, [3 7], [], NULL, NULL