eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious
Inspect the process
It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all
<pid> with the reported process ID number.
# Start-time of process ps -o pid,lstart,cmd <pid> # All open sockets of process lsof -np <pid> # Generic checks on process cat /proc/<pid>/environ cat /proc/<pid>/cmdline strings /proc/<pid>/exe
Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!
cp /proc/<pid>/exe /tmp/rogue.executable cp /proc/<pid>/environ /tmp/rogue.environ cp /proc/<pid>/cmdline /tmp/rogue.cmdline
This page was last updated at Feb 4th, 2022