umount: device is busy
Neil Schelly
neil at jenandneil.com
Thu Jan 19 14:00:00 EST 2006
A little off-topic, but searches like this are also great for forensics after
a system breach. Any decent rootkit will change a lot of common utilities
like ls, top, lsof, etc to hide the processes that someone would want to
hide. Grepping around proc though, you can find a lot of stuff that might
otherwise be hidden.
-N
On Thursday 19 January 2006 01:41 pm, Michael ODonnell wrote:
> I believe it's sometimes possible (when lsof and friends can't
> figure out who's got a particular device or mount point busy)
> to find the culprit with an approach something like this:
>
> find /proc/[0-9]* | xargs -l20 ls -aFdl 2>/dev/null | grep itemOfInterest
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
More information about the gnhlug-discuss
mailing list