From owner-freebsd-questions@FreeBSD.ORG Fri Oct 30 04:24:34 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A405106566C for ; Fri, 30 Oct 2009 04:24:33 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email1.allantgroup.com (email1.emsphone.com [199.67.51.115]) by mx1.freebsd.org (Postfix) with ESMTP id 9CDBE8FC08 for ; Fri, 30 Oct 2009 04:24:33 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email1.allantgroup.com (8.14.0/8.14.0) with ESMTP id n9U3mE65057569 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 29 Oct 2009 22:48:15 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id n9U3mEF4086115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 29 Oct 2009 22:48:14 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.3/Submit) id n9U3mEO7086112; Thu, 29 Oct 2009 22:48:14 -0500 (CDT) (envelope-from dan) Date: Thu, 29 Oct 2009 22:48:13 -0500 From: Dan Nelson To: patrick Message-ID: <20091030034812.GU29215@dan.emsphone.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 7.2-STABLE User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: ClamAV version 0.94.1, clamav-milter version 0.94.1 on email1.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email1.allantgroup.com [199.67.51.78]); Thu, 29 Oct 2009 22:48:15 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Cc: FreeBSD Questions Subject: Re: Get the cwd of a process? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 04:24:34 -0000 In the last episode (Oct 29), patrick said: > Is there any way to get the cwd of a process? We had the situation > recently where a perl script was called from an infiltrated Wordpress > installation, but we weren't able to determine which of the hundreds of > Wordpress blogs was the source. The ps listing showed: > > www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM 93:10.67 ./mrf.pl (perl5.8.8) > > The procfs entry was no help because it does not seem to provide a cwd. > The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl". > > We had to kill the process, and who ever was responsible did a good job of > hiding their tracks. But should this happen again (and we expect it > will), we'd like to be able to find the source. /usr/bin/fstat will tell you the inode of the cwd, and you can use "find -inum" to locate it. You can also install lsof from ports, which will dig into the kernel and try and fetch the name itself: (dan@dan.21) /home/dan> fstat -p $$ | grep wd dan zsh 77611 wd / 474264 drwxr-xr-x 533 r (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zsh 77611 dan cwd VDIR 60,504234031 533 474264 /usr/home/dan -- Dan Nelson dnelson@allantgroup.com