 | | | Hidden pid files in proc? | Hidden pid files in proc? 2005-06-28 - By Arjan van de Ven
Back
On Tue, 2005-06-28 at 15:30 -0500, Marcos A. Mondragon wrote:
> All-
>
> We have some scripts that use a kill -0 $pid to determine whether or not
> a process needs to be started/stopped or killed for our daily
> operations. We noticed recently that sometimes the kill -0 returns as
> if process was found to be running but the process referenced by the pid
> is not seen via ps or lsof. Investigating further we were able to find
> that the pid's that are referencing these processes are in the /proc
> file system -- but they were hidden with a '.' in front of the pid
> (ie .14009).
>
> We started looking at how these got named this way and we found some
> information regarding a possible breach or a root kit installation but
> by using chkrootkit and listps it seems that the .pid's actually
> referenced a legitimate process at one time.
>
> Does anyone have an idea of how these .pid files are created versus a
> regular pid and how we would determine whether or not the process
> referenced by the .pid is actually running?
in rhel3, .pid ones are subthreads of other processes
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|