Get the cwd of a process?
Dan Nelson
dnelson at allantgroup.com
Fri Oct 30 04:24:34 UTC 2009
In the last episode (Oct 29), patrick said:
> Is there any way to get the cwd of a process? We had the situation
> recently where a perl script was called from an infiltrated Wordpress
> installation, but we weren't able to determine which of the hundreds of
> Wordpress blogs was the source. The ps listing showed:
>
> www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM 93:10.67 ./mrf.pl (perl5.8.8)
>
> The procfs entry was no help because it does not seem to provide a cwd.
> The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".
>
> We had to kill the process, and who ever was responsible did a good job of
> hiding their tracks. But should this happen again (and we expect it
> will), we'd like to be able to find the source.
/usr/bin/fstat will tell you the inode of the cwd, and you can use "find
-inum" to locate it. You can also install lsof from ports, which will dig
into the kernel and try and fetch the name itself:
(dan at dan.21) /home/dan> fstat -p $$ | grep wd
dan zsh 77611 wd / 474264 drwxr-xr-x 533 r
(dan at dan.21) /home/dan> lsof -p $$ -a -d cwd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
zsh 77611 dan cwd VDIR 60,504234031 533 474264 /usr/home/dan
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list