I have a process being started on my server that appears to modify what ps/top sees, so I don't know the filename or the path of it since it's hiding it (it's a perl script). How can I track down where the file is on disk?
SnapOverflow
I have a process being started on my server that appears to modify what ps/top sees, so I don't know the filename or the path of it since it's hiding it (it's a perl script). How can I track down where the file is on disk?
Under
/proc/<pid>/there are various files which may help you find the culprit.cmdlineis the command line used to start the process (including parameters). Unfortunately, this is apparently also changed if the process modifies its own command line.cwdis the working dir of the process, that might help as wellexepoints to the running executable (however, for Perl scripts that will be the Perl interpreter, so might not be so helpful)statuscontains various information. In particular, the parent process (Ppid) may be interesting; that will be the process that launched the script - might be helpful to find out who starts it.fd, you'll find the list of files the process has currently opened (as symlinks); that should help figure out what it doesOn Linux you can check the /proc/[PID]/exe symlink, which points to the executable.