 | | | Hidden pid files in proc? | Hidden pid files in proc? 2005-06-28 - By Marcos A. Mondragon
Back
All-
We have some scripts that use a kill -0 $pid to determine whether or not
a process needs to be started/stopped or killed for our daily
operations. We noticed recently that sometimes the kill -0 returns as
if process was found to be running but the process referenced by the pid
is not seen via ps or lsof. Investigating further we were able to find
that the pid's that are referencing these processes are in the /proc
file system -- but they were hidden with a '.' in front of the pid
(ie .14009).
We started looking at how these got named this way and we found some
information regarding a possible breach or a root kit installation but
by using chkrootkit and listps it seems that the .pid's actually
referenced a legitimate process at one time.
Does anyone have an idea of how these .pid files are created versus a
regular pid and how we would determine whether or not the process
referenced by the .pid is actually running?
Thanks,
Marc Mondragon
--
Marc Mondragon
Fox River Financial Resources/Ritchie Capital Investments, Ltd.
2100 Enterprise Avenue
Geneva, IL 60134
marcmo@(protected)
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|