By the time you receive this, UnSpawn may have replied with these tips.
You have the PID, so 'lsof -w -n -p $PID' or ls -al /proc/$PID/fd should show
the deleted file
still open on a file descriptor. Then cat or copy the file to another fs that's
not /tmp. Run
'file' on it and then inspect using utilities like strings, ldd, objdump, AV or
running it in a VM
if it's some binary.
--------------
Where I replaced $PID with the relevant number.
------------------------------------------------------
after new scan I got some new PIDs for deleted files then
Process: /usr/sbin/hald PID: 2884 File: /tmp/init.I04Uf9
ls al /proc/2884/fd gave me the next number.....ditto for all 3 PIDs
ls -al /proc/2884/fd/4
lr-x------ 1 root root 64 2008-03-07 09:15 /proc/2884/fd/4 -> /tmp/init.I04Uf9
(deleted)
root filemanager cp /proc/2884 to my dox
some error messages 'could not read'' during copy which I auto ignored for all
3 PIDs.
cat /home/gordy/Documents/2884/task/2884/cwd/proc/2884/fd/4
Starting system message bus: [ OK ]
---------------------------------------------------------------------------------------
[09:15:48] Process: /usr/sbin/crond PID: 2917 File:
/tmp/init.QvNekH
[EMAIL PROTECTED] Documents]# ls -al /proc/2917/fd/4
lr-x------ 1 root root 64 2008-03-07 09:15 /proc/2917/fd/4 -> /tmp/init.QvNekH
(deleted)
root file manager attempted similar pathway dox/pid/task/pid/cwd/proc.....no
proc for 2917?
looking elswhere I finally got
[EMAIL PROTECTED] fd]# cat
/home/gordy/Documents/2917/root/proc/2917/task/2917/fd/4
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
--------------------------------------------------------------------------------------------
[09:15:48] Process: /sbin/ifplugd PID: 3103 File:
/tmp/init.pkUaLy
ls -al /proc/3103/fd/4
lr-x------ 1 root root 64 2008-03-07 09:15 /proc/3103/fd/4 -> /tmp/init.pkUaLy
(deleted)
and
[EMAIL PROTECTED] fd]# cat /home/gordy/Documents/3103/root/proc/3103/fd/4
Starting resolvconf: [ OK ]
----------------------------------------------------------
My verdict all false positives. Thanks to UnSpawn I am a happy camper again.
Hope this helps
someone.
Redid pid 2884 the same way for last 2 and that way looks a winner.
so after you use root powers to copy /proc/Pid number to /home/yourname/Dox
try path PID/root/proc/PID/fd/(relevant number from UnSpawn's ls al /proc/(PID
number)/fd)
cheerio
Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/y7mail
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
