Get the cwd of a process?
patrick
gibblertron at gmail.com
Thu Oct 29 21:22:57 UTC 2009
Is there any way to get the cwd of a process? We had the situation
recently where a perl script was called from an infiltrated Wordpress
installation, but we weren't able to determine which of the hundreds
of Wordpress blogs was the source. The ps listing showed:
www 63968 2.4 0.2 26092 5008 ?? Rs 5:36PM
93:10.67 ./mrf.pl (perl5.8.8)
The procfs entry was no help because it does not seem to provide a
cwd. The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".
We had to kill the process, and who ever was responsible did a good
job of hiding their tracks. But should this happen again (and we
expect it will), we'd like to be able to find the source.
Patrick
More information about the freebsd-questions
mailing list