How to detect a program and shut it down

Question

So, I have been working on a project for class, and I have half of it down, but the second half I have been googling and am unsure how to go about it. Here is the question: You suspect that there is a "bad" program (called “badprog” that launches at odd times on your server and does nefarious things such as logging onto a remote machine via ssh/sftp and copying files off of your server. A) Write a script that does this (you need not schedule it, just run it in the background). B) Next, write a script to detect “badprog", and shut it down.

I have finished part A (pretty much just using the scp command), but I am unsure how to do part B. any help would be appreciated! (I am using Linux Mint)

score 2 · Answer 1 · answered May 05 '15 at 17:09

2

If you're looking for whether a process is running pgrep is probably your friend, and pkill as well. You can also look at the ps command and it's myriad options.

pgrep badprog will give you the PID of any processes with the executable badprog

answered May 05 '15 at 17:09

Eric Renouf

13,950
3
45
67

score 1 · Answer 2 · answered May 05 '15 at 17:12

1

You can lookup a PID for a process using pgrep badprog and you could shut it down using e.g.:

for pid in `pgrep badprog`; do
    kill -9 $pid
done

This will loop over every PID pgrep gives you and will send the signal SIGTERM (shutdown immediately) to the command.

answered May 05 '15 at 17:12

Nidhoegger

4,973
4
36
81

1

You could also do `pkill -9 badprog` for that – Eric Renouf May 05 '15 at 17:20

score 0 · Answer 3 · answered May 05 '15 at 19:01

This is a pretty complicated question. Can you assume that you would know the name of the "bad program"? If not, then you will need to identify all "bad" behaviors and create a function to test for them. Each function would probably use a different low-level command, like "ps -ef" for processes, and netstat for network connection.

How to detect a program and shut it down

3 Answers3