How can I find hidden processes on my server? (linux)
The following line can be used to list out all running processes, regardless of whether or not they show up in 'top'.
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo); done
Using this from a shell will print out quite a bit of information, so it is suggested that you pipe it to a file. To do that, you only need to modify the command like so:
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo) >> /root/processes.txt; done
This should allow you to find anything hidden by a root kit, or other users for that matter. Please note that all of the previous goes on one line. The \ character is there to split the line on your screen only, and should be removed if you paste this into an ssh session.
The following line can be used to list out all running processes, regardless of whether or not they show up in 'top'.
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo); done
Using this from a shell will print out quite a bit of information, so it is suggested that you pipe it to a file. To do that, you only need to modify the command like so:
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo) >> /root/processes.txt; done
This should allow you to find anything hidden by a root kit, or other users for that matter. Please note that all of the previous goes on one line. The \ character is there to split the line on your screen only, and should be removed if you paste this into an ssh session.
No comments:
Post a Comment