Find the location of a Linux Stealth Process

Having spawned processes with a [stealth] denomination is never a good sign – to find the actual path where the process originates from, we can use the following command:

ls -l /proc/<pid>/exe

You can also check out the directory using /proc/<pid>/cwd

These processes are never a good sign – consider your host compromised and do not trust it!


Thanks for reading! Please consider Buying me a Coffee or checking out Colibri!