Your Server Got Hacked? Get Linux Process Detail Information


Once you server compromised, hacker usually put some backdoor on your server and it might be a tricky process on how to find it. Standard “netstat -anlp” let you see if there’s any unusual listening port on your server. It will display port number, pid, and process name.

Thing is that they usually hiding the process into another regular process name to make it harder to find.However I’ve found a very simple script to show detailed information of suspicious process using PID written by Henri Benoit here.
Just open your editor and paste below code. You can run this script “scriptname [PID]”


#!/bin/sh

if [ $# -ne 1 ]; then
echo Usage: $0 PID
exit 1
fi

PID=$1

if kill -0 $PID; then
echo Information about process $PID
echo
echo —– Working Directory —–
echo
readlink /proc/$PID/cwd
echo
echo —– Command line —–
echo
ps eho command -p $PID
echo
echo —– Environment —–
echo
strings -f /proc/$PID/environ | cut -f2 -d ' '
echo
echo —– Resource usage —–
echo
echo CPU : 'ps eho %cpu -p $PID'%
echo MEMORY: 'ps eho %mem -p $PID'%
echo
echo —– TCP connections —–
echo
netstat -pan | grep " $PID/" | grep tcp | awk ' { print "Status: "$6" local: "$4" remote: "$5; }'
echo
echo —– UDP connections —–
echo
netstat -pan | grep " $PID/" | grep udp | awk ' { print "Local: "$4" remote: "$5; }'
echo
echo —– Open files —–
echo
lsof -p $PID
else
echo Process $PID does not exist
exit 2
fi

Advertisements

About piyecarane

Bla bla bla about me
This entry was posted in CPANEL, Linux and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s