In addition to ps and kill, Unix supports a large number of lesser known tools for examining and controlling running processes. These commands can be useful for programmers and system administrators; they are also very helpful in analyzing the processes of an attacker during and after a break-in. Some of the ways you can examine or control processes include the following:
You can attach to the running process with a debugger such as gdb.
You can use the gcore command to dump the process memory map.
You can use the lsof program to list the open files in use by the program.
You can examine the process directly using the /proc process filesystem.
You can see a tree of all processes with the pstree command.
Not all of these tools are available on every version of Unix.
Strictly speaking, many of these tools will work with processes that are either running or stopped. However, if you have a rogue process on your system, you may wish to stop it with the SIGSTOP signal before examining it.
One reason to be familiar with these tools is that many attackers will modify a penetrated system in such a way that the system ps command will no longer display processes belonging to the attacker. These modifications are most often done with programs that are collectively known as rootkits.
Once a system has been modified with a rootkit, it can be very difficult to detect the continued presence of an attacker. However, few rootkits modify such ...