scan_deleted_process.sh
#!/bin/bash
echo "🔎 掃描系統所有被刪除但仍在執行的進程..."
echo "------------------------------------------------"
# 找出所有 (deleted) 執行檔進程
found=0
for exe in /proc/[0-9]*/exe; do
# 檢查檔案是否為 symbolic link 且目標包含 (deleted)
target=$(ls -l "$exe" 2>/dev/null | awk '{print $NF}')
if [[ "$target" == *"(deleted)"* ]]; then
pid=$(echo "$exe" | grep -oE '[0-9]+')
user=$(ps -o user= -p $pid)
cmdline=$(tr '\0' ' ' < /proc/$pid/cmdline 2>/dev/null)
echo "⚠️ PID: $pid USER: $user"
echo " CMD : $cmdline"
echo " EXE : $target"
echo ""
found=1
fi
done
if [[ $found -eq 0 ]]; then
echo "✅ 沒有發現幽靈進程(deleted payload),系統目前無此類殘留。"
else
echo "⚡ 建議立即 kill 這些進程(例如:kill -9 <PID>),並徹查入侵途徑。"
fi