How to inspect a deleted process file
by Team Sansec
Published in Guides
eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious
Inspect the process
It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all <pid>
with the reported process ID number.
# Start-time of process
ps -o pid,lstart,cmd <pid>
# All open sockets of process
lsof -np <pid>
# Generic checks on process
cat /proc/<pid>/environ
cat /proc/<pid>/cmdline
strings /proc/<pid>/exe
Create backups
Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!
cp /proc/<pid>/exe /tmp/rogue.executable
cp /proc/<pid>/environ /tmp/rogue.environ
cp /proc/<pid>/cmdline /tmp/rogue.cmdline
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec Watch