Quick way to find out if you "ps" has been compromised

Here’s a really quick way to find out if your “ps” binary has been compromised :

# ls -d /proc/* | grep [0-9] | wc -l ; ps aux | wc -l

The commands above are going to show you two numbers : the first one is the number of running processes according to your kernel and the second one is the number of running processes according to you “ps” binary.

If the second one differs from the previous one, something is wrong and this could mean your “ps” binary was compromised. If this happens to you, maybe your system is not a trusted system anymore.

9 comentários sobre “Quick way to find out if you "ps" has been compromised

  1. There’s something wrong with this command.
    I tried it and it game me completely strange results, then I debugged it to:

    ls -d1 /proc/* | grep “[0-9]” | wc-l; ps aux |wc -l

    This should be correct, ‘grep’ has to have quotes and ‘ls’ default is to show more than one command per line.

  2. @dudus

    As I said previously, this “may” mean your “ps” is compromised. It’s not a clear and indisputable sign that it is really compromised.

    I’m not going to tell anyone that one should trust only this small trick to slap a “compromised” stick in one’s system.

    You should try to find out which differences you have in these two outputs checking more closely at your /proc and comparing it to your “ps” output to try and find suspicious signs.

    Also, checking your “ps” binary mdsum/sha1sum against a know good binary is surely a good thing to do.

  3. @Frederico

    Well, the command line, exactly as I published it, worked fine on a lot of my personal systems, all of them based on Debian unstable (Linux kernel 2.6.26).

    I don’t know if you’re using Debian or even Linux, but as virtually 100% of my readers are aware that I’m a Debian user myself, they should be advised that the command line runs fine on such a system.

    BTW, the proposed command line you gave in your comment doesn’t work on any of my Debian unstable systems at all.

    First, you have a “wc-l” when it should be “wc -l”. You are lacking a space after the “c” and before the minus signal.

    But even fixing this, I still get the following :

    andrelop@foolish:~$ ls -d1 /proc/* | grep “[0-9]” | wc -l; ps aux |wc -l

    So, I think my original command line, when executed on a standard Debian unstable system as pointed previsouly, works fine.


  4. @Patricia

    Don’t be afraid 🙂 Just try to find out what’s the culprit. Check my previous answers above and try to get more into details as to why your system is giving you these outputs.

    And, as said numerous times before (you guys should read a “maybe” as a “maybe”, not as a “surely it’s like I wrote, no doubt about that”), it could be that it was just a false positive.

    There’s no way for me to know what sort of things you guys are running on your systems (operating systems, kernels, softwares, versions, patches, etc) so, I for one would assume that I’m the only who knows more about my specific system/setup than a random Don Joe at the IntarWebs out there 🙂


  5. If you use linux colors, try changing the ls command to:

    ls –color=none -d /proc/* | grep “[0-9]” | wc-l; ps aux |wc -l

    This should fix the difference between the two commands. 😉

  6. Did you really tried out the command?

    ps outpus a header, which give us one more line.

    My suggestion would be:

    # ls -d /proc/[0-9]* | wc -l; ps -A h | wc -l

    My results:

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google

Você está comentando utilizando sua conta Google. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s