Linux contains a /proc filesystem with virtual files that maintain the current state of the system. You can actually access the proc system directly and view the command, command-line parameters, and other information.
In particular, if you have a suspicious process (detected using ps (Section 49.6)), you can investigate the process more thoroughly using the Linux proc filesystem. For instance, if ps -ux returns the following procecss:
Root 1684 0.0 0.7 7492 3888 ? S 13:44 0.00 rp3
you can change to the process directory by using the process number:
bash# cd /proc/1684
Once there, typing ls will show several entries, including ones titled cwd, exe, and cmdline. At that point you can use cat (Section 11.2) to print out the cmdline entry, which will show the command, including parameters that kicked off the process:
bash# cat cmdline rp3
Typing ls -l on cwd results in:
lrwxrwxrwx 1 root root 9 June 4 17:44 cwd-> /root
Typing ls-1 on exe results in:
lrwxrwxrwx 1 root root 9 June 4 17:44 cwd-> /usr/bin/rp3
The proc filesystem is extremely helpful, not only for security reasons, but also for general system usage.
-- SP
Copyright © 2003 O'Reilly & Associates. All rights reserved.