return to PRS Technologies website


check_phantom1.pl
############################################################################### #!/usr/bin/perl ################################################################################ # # Module: check_phantom1.sh # Description: Check Unix for phantom processes # Designed for: HP/UX # # Change Log # # Date Person Description # # 05/23/2001 Peter Schmidt Prepare program for general use # ################################################################################ $maildest="sysadmin"; $mailfrom="sysadmin"; $mail_cmd="/usr/lib/sendmail -t"; $form_type=0; $min_var=9; open (INPUT,"/bin/ps -elf|"); # Do a ps -elf while (<INPUT>) { chomp; $line = $_; $line =~ s/^\s+(.*)/$1/; if ($line =~ /^F/) {next; } if ($line =~ /\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # 1 Z root 25490 1143 0 178 20 32cf800 0 - Jun 11 ? 0:00 <defunct> $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=1; } elsif ($line =~ /\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { #141 S root 1 0 0 168 20 27a1800 81 7ffe6000 Jun 8 ? 0:12 init $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=2; } elsif (/^\s+\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # 3 S root 2 0 0 128 20 2392c80 0 41f448 Jun 8 ? 1:03 vhand $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=3; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of : # 3 S root 7 0 0 -32 20 27a1580 0 41bcf4 Jun 8 ? 55:29 ttisr $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=4; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of : #1 S informix 1353 1312 8 -16 20 4e47800 741 4dfac00 19:39:12 ? 7:34 oninit $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=5; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of : # 1 R informix 15729 1 242 -16 20 2e22c80 822 - Jun 30 ? 3777:47 oninit $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=6; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of : #1 R informix 1353 1312 1 -16 20 4e47800 776 - 19:39:12 ? 9:00 oninit $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=7; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) { # In the form of: # 1 S root 470 101 0 154 20 bd1dc0 16 2e4450 10:24:23 ttyq0 0:00 telnetd -b /etc/issue $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=8; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) { #In the form of: # 1 S root 509 1 0 156 20 b43740 20 9da630 Dec 1 tty1p0 0:00 /etc/getty -h tty1p0 19200 $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=9; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 S root 24682 24672 0 158 20 c0eb00 97 7d3b40 20:00:01 ? 0:00 /sysa/crck.proc /sysa/crck.proc $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=10; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 R mal 13495 13494 204 249 30 3295280 87 - 15:33:28 ? 49:24 vi TEMP.a13347 $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = '?'; $time = $5; $process = $6; $form_type=11; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 R root 9025 9024 8 180 20 2cc2300 29 - 11:50:10 ttyq2 0:00 /bin/ps -elf $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=12; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 21 T root 20309 6222 0 179 20 30c5d80 504 - Jun 12 ttyp8 0:00 emacs test $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=13; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 R sda 23585 23536 0 178 20 5080700 13 - Jul 20 pts/0 2:00 tail -f /elite/work/logs/online.log $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=14; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 R sda 833 794 0 168 20 5594900 13 - 08:46:31 pts/0 0:01 tail -f /elite/work/logs/online.log $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=15; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 S root 6722 690 0 154 20 30ff100 8 41ebc4 Jun 9 pts/0 0:01 rlogind $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=16; } elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) { # in the form of: # 1 S sda 23536 23534 0 158 20 4cfef00 118 25e9e00 18:18:19 pts/0 0:00 -sh $user = $1; $pid = $2; $ppid = $3; $nice = $4; $tty = $5; $time = $6; $process = $7; $form_type=17; } else { print "unknown pattern\n$_\n"; } # time contains # of CPU minutes/seconds. ($min) = split /:/, $time; # Get just the minutes. if ( ($min > $min_var) && # minutes > threshold ($user ne root) && # Not root ($process ne oninit) && # not Informix engine ($process ne "oninit -v") && # not Informix engine ($tty eq "?") ) { push(@runaway,join(',',$user,$pid,$ppid,$nice,$tty,$time,$process)); } } close INPUT; if (@runaway){ open(MAIL, "| $mail_cmd") || die "/usr/lib/sendmail not found "; print MAIL "To: $maildest\n"; print MAIL "From: <$mailfrom>\n"; print MAIL "Subject: Possible runaway process on @{[`hostname` =~ /(.*)/]}\n"; printf MAIL "%10s %5s %5s %3d %5s %7s %-20s\n", 'user','PID','PPID','Nice','TTY','time','process'; foreach $key (@runaway) { ($user,$pid,$ppid,$nice,$tty,$time,$process) = split /,/, $key; printf MAIL "%10s %5d %5d %3d %5s %7s %-20s\n", $user,$pid,$ppid,$nice,$tty,$time,$process; } close MAIL; } ###############################################################################