Date: Thu, 29 Oct 2009 22:48:13 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: patrick <gibblertron@gmail.com> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: Get the cwd of a process? Message-ID: <20091030034812.GU29215@dan.emsphone.com> In-Reply-To: <b043a4850910291422u2d37344tf46b5d46691bb48a@mail.gmail.com> References: <b043a4850910291422u2d37344tf46b5d46691bb48a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Oct 29), patrick said: > Is there any way to get the cwd of a process? We had the situation > recently where a perl script was called from an infiltrated Wordpress > installation, but we weren't able to determine which of the hundreds of > Wordpress blogs was the source. The ps listing showed: > > www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM 93:10.67 ./mrf.pl (perl5.8.8) > > The procfs entry was no help because it does not seem to provide a cwd. > The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl". > > We had to kill the process, and who ever was responsible did a good job of > hiding their tracks. But should this happen again (and we expect it > will), we'd like to be able to find the source. /usr/bin/fstat will tell you the inode of the cwd, and you can use "find -inum" to locate it. You can also install lsof from ports, which will dig into the kernel and try and fetch the name itself: (dan@dan.21) /home/dan> fstat -p $$ | grep wd dan zsh 77611 wd / 474264 drwxr-xr-x 533 r (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zsh 77611 dan cwd VDIR 60,504234031 533 474264 /usr/home/dan -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091030034812.GU29215>