SE alert
jd1008
jd1008 at gmail.com
Sun Jul 19 01:57:00 UTC 2015
On 07/18/2015 07:53 PM, Ed Greshko wrote:
> On 07/19/15 09:17, jd1008 wrote:
>> debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null
>> Inode Pathname
>> 47972353 //root
>>
>> So, why is it trying to do that?
>> I am not logged in as root.
>>
>> How can I find out the process(es) that spawned sh
>> to access /root?
> OK, so you have determined that the path being accessed and cited by the alert is /root.
>
> Don't know if the process is still around, but supposedly it was pid=6476.
>
This is frustrating!!
$ ps -p 6476
PID TTY TIME CMD
$
More information about the users
mailing list