On Tue, 2006-08-01 at 15:25 +0530, Kaushal Shriyan wrote: > Hi ALL > > I am looking solution for find spamming or bad process script which is > running using tmp location. > /proc/PID give more info. > if i run > ll /proc/* |grep cwd > it will show current working directory > if we try to search ll /proc/* how can we find who is sending spamming > currently > my simple question is i would like to search scripts from tmp and i > would like to trace process from proc/ bad process or spam process. > If you suspect the system was compromised and has a spam package installed it is likely that other parts of the system have been compromised as well, including the ps command and other utilities. In that case ps and other commands may not report the process you are looking for. It sounds like you are convinced the box is spewing spam, you best bet is to shut it down and reload it from a known good backup. Even if you did track down the specific script, which would most likely require you to examine all items under /tmp manually, the spammer may have a back door installed that they will use to install the spam package again, or since you obviously tried to remove the first one they might just trash the system. Best bet is to re-install and secure the system.
