From owner-freebsd-questions@FreeBSD.ORG Fri Oct 30 04:48:47 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9F6F106566C for ; Fri, 30 Oct 2009 04:48:47 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-px0-f190.google.com (mail-px0-f190.google.com [209.85.216.190]) by mx1.freebsd.org (Postfix) with ESMTP id BFB9A8FC0C for ; Fri, 30 Oct 2009 04:48:47 +0000 (UTC) Received: by pxi28 with SMTP id 28so1671674pxi.7 for ; Thu, 29 Oct 2009 21:48:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=3L20XInQYkRvkMw09XZfQGuxSh4DSWEGOfS2P8Yzr+I=; b=eoF7rsJU0Y+rNT9Uy0+/s4MJkGSfEaGdMqUbg792d6F/QxiIK3pWrdohN5LhrIo9IU rW7x+IHNqjGhUuun4D8/SrcJr93jRDDwqZcQRj6PzTrXqZxz2iUGM6unZF1heV+41Mnl ZXr1snyxOdI+mxirostzY8volKFKm17upcD7c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HcbYg8hJ7HykW31pacAVkNxMh9HzRl1B4qMhwDEo8W25l3gsvpNGrFx7KFBJDcD9VL klWJEV3HJlsXkPzRZZ+hmtv6cgevbMaz+C7pkb4HIZhcDwSbrMyNtOw3CKlNbgGHaMcl 0hSkdoMPQ0qEVjtpCDaBZF17GeqVO0pB9yf+0= MIME-Version: 1.0 Received: by 10.142.249.37 with SMTP id w37mr107621wfh.271.1256878125552; Thu, 29 Oct 2009 21:48:45 -0700 (PDT) In-Reply-To: <20091030034812.GU29215@dan.emsphone.com> References: <20091030034812.GU29215@dan.emsphone.com> Date: Thu, 29 Oct 2009 23:48:45 -0500 Message-ID: <6201873e0910292148i231766f6oc96e3c0b9b87cb0f@mail.gmail.com> From: Adam Vande More To: Dan Nelson Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: patrick , FreeBSD Questions Subject: Re: Get the cwd of a process? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 04:48:48 -0000 On Thu, Oct 29, 2009 at 10:48 PM, Dan Nelson wrote: > In the last episode (Oct 29), patrick said: > > Is there any way to get the cwd of a process? We had the situation > > recently where a perl script was called from an infiltrated Wordpress > > installation, but we weren't able to determine which of the hundreds of > > Wordpress blogs was the source. The ps listing showed: > > > > www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM 93:10.67 ./ > mrf.pl (perl5.8.8) > > > > The procfs entry was no help because it does not seem to provide a cwd. > > The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl". > > > > We had to kill the process, and who ever was responsible did a good job > of > > hiding their tracks. But should this happen again (and we expect it > > will), we'd like to be able to find the source. > > /usr/bin/fstat will tell you the inode of the cwd, and you can use "find > -inum" to locate it. You can also install lsof from ports, which will dig > into the kernel and try and fetch the name itself: > > (dan@dan.21) /home/dan> fstat -p $$ | grep wd > dan zsh 77611 wd / 474264 drwxr-xr-x 533 r > (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > zsh 77611 dan cwd VDIR 60,504234031 533 474264 /usr/home/dan > > > -- > Dan Nelson > dnelson@allantgroup.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > procstat -f -- Adam Vande More