Get the cwd of a process?
gibblertron at gmail.com
Thu Oct 29 21:22:57 UTC 2009
Is there any way to get the cwd of a process? We had the situation
recently where a perl script was called from an infiltrated Wordpress
installation, but we weren't able to determine which of the hundreds
of Wordpress blogs was the source. The ps listing showed:
www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM
93:10.67 ./mrf.pl (perl5.8.8)
The procfs entry was no help because it does not seem to provide a
cwd. The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".
We had to kill the process, and who ever was responsible did a good
job of hiding their tracks. But should this happen again (and we
expect it will), we'd like to be able to find the source.
More information about the freebsd-questions