Each process has a PID, and each PID has a corresponding directory under the/proc Directory, which is the implementation of the Linux (current kernel 2.6) system. Generally, backdoor programs cannot be found in ps and other process viewing tools, because these commonly used tools and even system libraries are basically passive after the system is infiltrated (a large number of rootkits are circulating on the Internet. If it is a kernel-level Trojan, this method will be ineffective ). Because the modification of the system kernel is relatively complex (if the kernel has been modified or a kernel-level Trojan, it is more difficult to find out), In/proc, basically, traces of Trojans can also be found. Idea: process ID in/proc, which cannot be viewed (hidden) in ps. Bash Shell:
#! /Bin/bashstr_pids = "'ps-A | awk' {print $1}'' "for I in/proc/[[: digit:] *; doif echo "$ str_pids" | grep-qs 'basename "$ I" '; then: else echo "Rootkit's PID: $ (basename" $ I ")" fidone
Discussion: Check whether the system (Linux) is hacked. The complexity of the system depends mainly on whether the intruders "scan the end" and do enough work. For an intrusion that requires sufficient homework, it will be a matter of precision and pain to clean up. In this case, professional third-party tools (open-source, for example, tripwire or aide. Professional tools are difficult to deploy and use, and not all administrators can use them skillfully. In fact, the Linux system itself has provided a "Verification" mechanism, and the program on the inspection system has not been modified. For example, the rpm package management system provides the-V function: rpm-Va can verify all the packages on the system, and output and install the modified files and related information. However, the rpm system may be damaged, for example, modified.