How to inspect a deleted process file
by Sansec Support
Published in Guides
eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious
Inspect the process
It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all <pid>
with the reported process ID number.
# Start-time of process
ps -o pid,lstart,cmd <pid>
# All open sockets of process
lsof -np <pid>
# Generic checks on process
cat /proc/<pid>/environ
cat /proc/<pid>/cmdline
strings /proc/<pid>/exe
Create backups
Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!
cp /proc/<pid>/exe /tmp/rogue.executable
cp /proc/<pid>/environ /tmp/rogue.environ
cp /proc/<pid>/cmdline /tmp/rogue.cmdline
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?
About Magecart