How can I find hidden processes on my server?
The following line can be used to list out all running processes, regardless of whether or not they show up in 'top'.
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo); done
Using this from a shell will print out quite a bit of information, so it is suggested that you pipe it to a file. To do that, you only need to modify the command like so:
mypid=`sysctl kernel.pid_max | cut -d " " -f3`; for rkit in `seq 1 $mypid`; do \
test -f /proc/$rkit/cmdline && (echo -n "[$rkit] "; strings /proc/$rkit/cmdline; echo) >> /root/processes.txt; done
This should allow you to find anything hidden by a root kit, or other users for that matter. Please note that all of the previous goes on one line. The \ character is there to split the line on your screen only, and should be removed if you paste this into an ssh session.</div>