eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious
Inspect the process
It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all <pid>
with the reported process ID number.
# Start-time of process
ps -o pid,lstart,cmd <pid>
# All open sockets of process
lsof -np <pid>
# Generic checks on process
cat /proc/<pid>/environ
cat /proc/<pid>/cmdline
strings /proc/<pid>/exe
Create backups
Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!
cp /proc/<pid>/exe /tmp/rogue.executable
cp /proc/<pid>/environ /tmp/rogue.environ
cp /proc/<pid>/cmdline /tmp/rogue.cmdline
This page was last updated at May 27th, 2022