 | | | Hidden pid files in proc? | Hidden pid files in proc? 2005-06-29 - By Marcos A. Mondragon
Back
> On Tue, 2005-06-28 at 15:30 -0500, Marcos A. Mondragon wrote:
> > All-
> >
> > We have some scripts that use a kill -0 $pid to determine whether or not
> > a process needs to be started/stopped or killed for our daily
> > operations. We noticed recently that sometimes the kill -0 returns as
> > if process was found to be running but the process referenced by the pid
> > is not seen via ps or lsof. Investigating further we were able to find
> > that the pid's that are referencing these processes are in the /proc
> > file system -- but they were hidden with a '.' in front of the pid
> > (ie .14009).
> >
> > We started looking at how these got named this way and we found some
> > information regarding a possible breach or a root kit installation but
> > by using chkrootkit and listps it seems that the .pid's actually
> > referenced a legitimate process at one time.
> >
> > Does anyone have an idea of how these .pid files are created versus a
> > regular pid and how we would determine whether or not the process
> > referenced by the .pid is actually running?
>
> in rhel3, .pid ones are subthreads of other processes
>
Arjan,
Thanks we suspected something like that but were unable to confirm nor
deny. So next question, probably obvious: how would one go about
finding the "true" parent process?
Marc Mondragon
--
Marc Mondragon
Fox River Financial Resources/Ritchie Capital Investments, Ltd.
2100 Enterprise Avenue
Geneva, IL 60134
marcmo@(protected)
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|