[CentOS] Peculiar process name in /proc

Mon Aug 5 12:44:27 UTC 2019
John Horne <john.horne at plymouth.ac.uk>

On Mon, 2019-08-05 at 13:06 +0100, Giles Coochey wrote:
> On 05/08/2019 12:56, John Horne wrote:
> > Hello,
> >
> > I was looking at a process through the '/proc' file system, and came across
> > a process name which seemed to contain a hex value:
> >
> > lrwxrwxrwx. 1 xymon xymon 0 Aug  2 14:07 /proc/58032/exe ->
> > /usr/sbin/xymond;5d44410e (deleted)
> >
> > I am aware of what the 'deleted' part means, but have no idea what the
> > ';5d44410e' part means. Is this some sort of thread reference?
> > The file '/usr/sbin/xymond' does exist and is running as a daemon.
> >
> > Anyone know what the ';5d44410e' is referring to? I have tried Googling
> > about this, but found no mention of it.
> >
> >
> I am not absolutely sure, but is it saying that /usr/sbin/xymond was
> deleted, but was located at that inode reference on the disk?
The hex number is quite large, and too big I suspect for the number of inodes
allowed on the partition.

> I know you say it exists, but perhaps it was deleted since running and
> then re-created? or perhaps it is an self-modifying executable?
I was going to say no to both of these, however the RPM package ('xymon') was
itself updated at around the time mentioned on Aug 02.
The hex number is equivalent to 1564754190 in decimal which, as an epoch time,
is '2019-08-02 14:56:30'. So it might be possible that '/usr/sbin/xymond' was
replaced and the hex number just indicates the time that occurred.

The downside is that the package update was a bit earlier than 14:56 though, so
the numbers don't seem to quite match up. Secondly, the whole xymon process was
restarted, but the server itself not rebooted, so I would expect all the
processes to be using the new executables rather than an older/deleted one. (I
am a little loath to restart the service at the moment as I may well lose the
info currently in '/proc/.../exe'.)


John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.