On Thu, Oct 29, 2009 at 10:48 PM, Dan Nelson <dnel...@allantgroup.com>wrote:
> In the last episode (Oct 29), patrick said: > > Is there any way to get the cwd of a process? We had the situation > > recently where a perl script was called from an infiltrated Wordpress > > installation, but we weren't able to determine which of the hundreds of > > Wordpress blogs was the source. The ps listing showed: > > > > www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM 93:10.67 ./ > mrf.pl (perl5.8.8) > > > > The procfs entry was no help because it does not seem to provide a cwd. > > The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl". > > > > We had to kill the process, and who ever was responsible did a good job > of > > hiding their tracks. But should this happen again (and we expect it > > will), we'd like to be able to find the source. > > /usr/bin/fstat will tell you the inode of the cwd, and you can use "find > -inum" to locate it. You can also install lsof from ports, which will dig > into the kernel and try and fetch the name itself: > > (d...@dan.21) /home/dan> fstat -p $$ | grep wd > dan zsh 77611 wd / 474264 drwxr-xr-x 533 r > (d...@dan.21) /home/dan> lsof -p $$ -a -d cwd > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > zsh 77611 dan cwd VDIR 60,504234031 533 474264 /usr/home/dan > > > -- > Dan Nelson > dnel...@allantgroup.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > procstat -f <pid> -- Adam Vande More _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"