[SOLVED] Output of ps command - can't find file
 

Hi there,

Today I found interesting issue. The output of ps command show some user's process, executing some file, let's say x.pl.

taz 2795 10.0 5.5 30568 5600 ? R 08:59 0:00 ./x.pl

I looked into taz's home directory in search of x.pl, however, found nothing.

Using find / -name x.pl also gave no results.

Interesting thing is that there are couple of such processes and the filenames look like generated automatically, ex. hyujip.pl.

Any ideas how to track down those files and which process spawns them?

Thanks!

Perhaps looking at the process tree will help? From the ps manpage:
To print a process tree:
ps -ejH
ps axjf

The command line ./x.pl does not imply a program in taz home directory. For exampleThus, not knowing what the current working directory was when the command was issued, you need to search the whole file system hierarchy to try to find these programs. Even then you may not find them -- they could be on a networked file system that is no longer mounted. For more detail of trying to find a program, based on the command line used to start it (including why it cannot always be done) see Greg's WIKI.

Thank you. It turned out that the system has been compromised, these scripts were uploaded via FTP, ran and deleted.

I hope you realise your system should still be regarded as "compromised".

You have work to do.