PenelopeFudd
commented
4 years ago Or even:
ls -l /proc/*/exe 2>&1 | grep '(deleted)'The problem with this (and the original) code is that if a process is in a chroot jail or an alternate namespace (e.g. docker), then the executable may say '(deleted)' even if it's not. If the executable is shown as /proc/31337/exe -> /usr/bin/nginx (deleted), it might actually be found at /proc/31337/root/usr/bin/nginx. The kernel does a bad job of generating these symlinks, apparently!
For extra fun, try running a chroot-ed process inside a docker container. It's completely bonkers. Example: Start a docker image of haproxy, which needs root access and chroots itself. Then /proc/7777/root points to the chroot-ed directory inside the namespace, but you can do 'cd /proc/7777/root; cd ../../..' and get to the root directory of the namespace, which chroot shouldn't allow but does. The 'pwd' command is hopelessly confused by that point.
Small change for the detection of a deleted process:
for pn in "${proc_names[@]}" do for exe_pid in $(pidof $pn) do exe_path=$(ls -l /proc/$exe_pid/exe 2>/dev/null | grep deleted) if [[ $exe_path ]] then malicious_proc=true echo "[*] Fileless process" $pn "is running on the server." fi done done