1

A users account have been hacked on one of my servers, where the hacker have started some spam binaries. Before I kill the processes would I like to make a copy of them, but when I

tar czf 30333.tar.gz /proc/30333

all files are empty.

Question

How do I make a copy of /proc/30333?

Jasmine Lognnes
  • 2,490
  • 8
  • 31
  • 51
  • 1
    http://en.wikipedia.org/wiki/Procfs#Linux – Sven Jun 05 '14 at 19:00
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) –  Jun 05 '14 at 21:24

4 Answers4

2

Here is one script that allows you to cap the size of files to be saved (here 32 or 64 MiB depending on the shell ) :

PID=30333
ulimit -f 65536
cd /proc/$PID || exit 1
find . -type d -exec sh -c 'mkdir -p /tmp/proc/$PID/$1' sh {} \;
find . -type f -exec sh -c 'cat $1 > /tmp/proc/'$PID'/$1' sh {} \;
tar czf /tmp/$PID.tgz /tmp/proc/$PID
rm -rf /tmp/proc/$PID
jlliagre
  • 8,691
  • 16
  • 36
1

/proc is a virtual file system and doesn't have any actual files, but rather contains information on the processes running on the system.

mvillar
  • 392
  • 2
  • 14
1

Solution

cp -r /proc/30333 /root
tar czf /root/30333.tar.gz /root/30333
Jasmine Lognnes
  • 2,490
  • 8
  • 31
  • 51
1

Make sure that /proc/30333/exe is included in what you copy. Not just the symlink, but the actual executable that it is pointing to.

A memory image might be useful too. You can create a core dump by typing:

gdb
attach 30333
gcore
kasperd
  • 29,894
  • 16
  • 72
  • 122