Differences
This shows you the differences between two versions of the page.
| |
blog:rkhunter_debian [2011-11-10 08:09] – brb | blog:rkhunter_debian [2011-11-10 08:09] (current) – brb |
---|
If you do manage to cd into the /proc/<pid> directory, then it's likely you have a problem. Interesting things to do once you're in the /proc/<pid> directory include: | If you do manage to cd into the /proc/<pid> directory, then it's likely you have a problem. Interesting things to do once you're in the /proc/<pid> directory include: |
| |
1) "cat cmdline" should give you the name the process is running under | - "cat cmdline" should give you the name the process is running under |
| - "sudo cat environ | perl -pe 's/\000/\n/g'" gets you the environment variable settings for the process |
2) "sudo cat environ | perl -pe 's/\000/\n/g'" gets you the environment variable settings for the process | - "sudo ls -l fd" shows you what files the process currently has open |
| - "sudo ls -l cwd" shows you the current working directory of the process (which could be interesting if the process was started by the attacker from their rootkit installation directory) |
3) "sudo ls -l fd" shows you what files the process currently has open | |
| |
4) "sudo ls -l cwd" shows you the current working directory of the process (which could be interesting if the process was started by the attacker from their rootkit installation directory) | |
| |
There's plenty of other cool stuff you can do with the various bits of information under /proc, but the above should be enough to help you figure out what the process(es) are doing and how much trouble you're in. | There's plenty of other cool stuff you can do with the various bits of information under /proc, but the above should be enough to help you figure out what the process(es) are doing and how much trouble you're in. |