Sansec logo

How to inspect a deleted process file

Sansec

by Team Sansec

Published in Guides

eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious

Inspect the process

It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all <pid> with the reported process ID number.

# Start-time of process
ps -o pid,lstart,cmd <pid>

# All open sockets of process
lsof -np <pid>

# Generic checks on process
cat /proc/<pid>/environ
cat /proc/<pid>/cmdline
strings /proc/<pid>/exe

Create backups

Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!

cp /proc/<pid>/exe /tmp/rogue.executable
cp /proc/<pid>/environ /tmp/rogue.environ
cp /proc/<pid>/cmdline /tmp/rogue.cmdline
Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01