vetal.org.ua

[admin]

The following line can be used to list out all running processes, regardless of whether or not they show up in 'top'.

mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo); done


Using this from a shell will print out quite a bit of information, so it is suggested that you pipe it to a file. To do that, you only need to modify the command like so:

mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo) >> /root/processes.txt; done


This should allow you to find anything hidden by a root kit, or other users for that matter. Please note that all of the previous goes on one line. The \ character is there to split the line on your screen only, and should be removed if you paste this into an ssh session.