Get ALL PIDs for a process #4
Comments
|
Or even: The problem with this (and the original) code is that if a process is in a chroot jail or an alternate namespace (e.g. docker), then the executable may say '(deleted)' even if it's not. If the executable is shown as /proc/31337/exe -> /usr/bin/nginx (deleted), it might actually be found at /proc/31337/root/usr/bin/nginx. The kernel does a bad job of generating these symlinks, apparently! For extra fun, try running a chroot-ed process inside a docker container. It's completely bonkers. Example: Start a docker image of haproxy, which needs root access and chroots itself. Then /proc/7777/root points to the chroot-ed directory inside the namespace, but you can do 'cd /proc/7777/root; cd ../../..' and get to the root directory of the namespace, which chroot shouldn't allow but does. The 'pwd' command is hopelessly confused by that point. |
Small change for the detection of a deleted process:
for pn in "${proc_names[@]}"
do
for exe_pid in $(pidof $pn)
do
exe_path=$(ls -l /proc/$exe_pid/exe 2>/dev/null | grep deleted)
if [[ $exe_path ]]
then
malicious_proc=true
echo "[*] Fileless process" $pn "is running on the server."
fi
done
done
The text was updated successfully, but these errors were encountered: