Get the cwd of a process?

patrick gibblertron at
Thu Oct 29 21:22:57 UTC 2009

Is there any way to get the cwd of a process? We had the situation
recently where a perl script was called from an infiltrated Wordpress
installation, but we weren't able to determine which of the hundreds
of Wordpress blogs was the source. The ps listing showed:

www             63968  2.4  0.2 26092  5008  ??  Rs    5:36PM
93:10.67 ./ (perl5.8.8)

The procfs entry was no help because it does not seem to provide a
cwd. The cmdline entry just showed "/usr/local/bin/perl ./".

We had to kill the process, and who ever was responsible did a good
job of hiding their tracks. But should this happen again (and we
expect it will), we'd like to be able to find the source.


More information about the freebsd-questions mailing list