strace is your friend. To see what a suspicious process is doing try this
strace -p <process id>To spy on a pseudoterminal, identify the process-id associated with it and
strace -e read,write -p <process id>A Perl wrapper called ttylog is available for the above which nicely formats the output.
...previous | up (conts) | next... |