I think my server has been compromised and it has many perl processes running. However, I don't know what file they are being launched from so I can delete it. How can I find this information?
A:
If you run the command "ps -ef" you should get a list of all processes running on your machine. Each process will have a process id number (PID), and also a parent PID. Find the offending process(es) and check their parent PIDs. Then find the process with a matching PID, and it should be your culprit.
Russell Newquist
2009-11-09 21:13:50
A:
You could check the symbolic link /proc/pid/cwd, also check the ppid from ps(1).
DigitalRoss
2009-11-09 21:14:25
A:
The first thing I would do is look at the parent process id (PPID). That said, if the PPID is 1, that doesn't tell you anything.
R Samuel Klatchko
2009-11-09 21:14:43
+1
A:
If your system has been hacked, you cannot trust any of the software, not even the kernel. Format the disk and re-install everything. There is just no way to be sure you've cleaned out the infection, because you can't trust the very tools you would use to clean things. You can't copy new tools onto the box, because you can't trust the SSH daemon or the /bin/cp command. Anything -- ls, vi, ps, cat, dd, etc. -- could have been replaced with a trojan that works to hide the infected files.
Francis Litterio
2009-11-16 03:42:51
You can copy your data files if you mount your old disks from a new install. Check any files you copy from it, and make sure never to run any program that you copied from the infected system.
Peter Cordes
2009-12-10 04:18:46
A:
Try ls -l /proc//exe, or ls -l /proc//fd. I don't remember if perl keeps the script file open after the program starts, but if it does, it will be one of the process's file descriptors.
But if your system is pwned, don't expect anything to make sense.
Peter Cordes
2009-12-10 04:21:24