Let's take a quick look at the files available for our running mystery
process (which we've already determined is likely the John the Ripper
password cracker) to see what we can learn. The process id was 24061, so
let's look at the files therein:

$ cd /proc/24061
$ ls
-r--r--r-- 1 axe axe 0 May 13 13:42 cmdline
lrwx------ 1 axe axe 0 May 13 13:42 cwd ->
/tmp/r (deleted)
-r-------- 1 axe axe 0 May 13 13:42 environ
lrwx------ 1 axe axe 0 May 13 13:42 exe ->
/tmp/r/john (deleted)
dr-x------ 2 axe axe 0 May 13 13:42 fd
pr--r--r-- 1 axe axe 0 May 13 13:42 maps
-rw------- 1 axe axe 0 May 13 13:42 mem
lrwx------ 1 axe axe 0 May 13 13:42 root -> /
-r--r--r-- 1 axe axe 0 May 13 13:42 stat
-r--r--r-- 1 axe axe 0 May 13 13:42 statm
-r--r--r-- 1 axe axe 0 May 13 13:42 status

Some of these bits we've already seen interpreted by ps or lsof, such as
the cwd (current working directory) and the files inside fd (the open
file descriptors.) The cmdline file contains the command line that was
used to start the program -- or whatever the program altered it to.
These come straight out of the argv array, for you C programmers. Each
argument is separated by a null, which means that it looks all jumbled
together if you simply 'cat' it. Say I launch 'find / -name \*.mp3 -exec
chmod a+r {} \;' in a window

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine