Get started in 5 minutes!

How to inspect a deleted process file

eComscan will detect and report server processes that do not have their original executable file present. Malicious processes often delete the original executable to avoid detection. A deleted process file is therefore an indication the process might be malicious

Inspect the process

It is important to verify if a process is indeed malicious. The following commands can be used to learn more about the process in question. Replace all <pid> with the reported process ID number.

# Start-time of process
ps -o pid,lstart,cmd <pid>

# All open sockets of process
lsof -np <pid>

# Generic checks on process
cat /proc/<pid>/environ
cat /proc/<pid>/cmdline
strings /proc/<pid>/exe

Create backups

Before you kill the process, make a copy of the executable, environment variables and cmdline. This also works when the original executable was removed!

cp /proc/<pid>/exe /tmp/rogue.executable
cp /proc/<pid>/environ /tmp/rogue.environ
cp /proc/<pid>/cmdline /tmp/rogue.cmdline

This page was last updated at Feb 4th, 2022

Need expert advice?

We are here to help!

Get in touch