return to PRS Technologies website
###############################################################################
#!/usr/bin/perl
################################################################################
#
# Module: check_phantom1.sh
# Description: Check Unix for phantom processes
# Designed for: HP/UX
#
# Change Log
#
# Date Person Description
#
# 05/23/2001 Peter Schmidt Prepare program for general use
#
################################################################################
$maildest="sysadmin";
$mailfrom="sysadmin";
$mail_cmd="/usr/lib/sendmail -t";
$form_type=0;
$min_var=9;
open (INPUT,"/bin/ps -elf|"); # Do a ps -elf
while () {
chomp;
$line = $_;
$line =~ s/^\s+(.*)/$1/;
if ($line =~ /^F/) {next; }
if ($line =~ /\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# 1 Z root 25490 1143 0 178 20 32cf800 0 - Jun 11 ? 0:00
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=1;
} elsif ($line =~ /\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
#141 S root 1 0 0 168 20 27a1800 81 7ffe6000 Jun 8 ? 0:12 init
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=2;
} elsif (/^\s+\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# 3 S root 2 0 0 128 20 2392c80 0 41f448 Jun 8 ? 1:03 vhand
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=3;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of :
# 3 S root 7 0 0 -32 20 27a1580 0 41bcf4 Jun 8 ? 55:29 ttisr
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=4;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of :
#1 S informix 1353 1312 8 -16 20 4e47800 741 4dfac00 19:39:12 ? 7:34 oninit
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=5;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of :
# 1 R informix 15729 1 242 -16 20 2e22c80 822 - Jun 30 ? 3777:47 oninit
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=6;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\-\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of :
#1 R informix 1353 1312 1 -16 20 4e47800 776 - 19:39:12 ? 9:00 oninit
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=7;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) {
# In the form of:
# 1 S root 470 101 0 154 20 bd1dc0 16 2e4450 10:24:23 ttyq0 0:00 telnetd -b /etc/issue
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=8;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) {
#In the form of:
# 1 S root 509 1 0 156 20 b43740 20 9da630 Dec 1 tty1p0 0:00 /etc/getty -h tty1p0 19200
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=9;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 S root 24682 24672 0 158 20 c0eb00 97 7d3b40 20:00:01 ? 0:00 /sysa/crck.proc /sysa/crck.proc
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=10;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+\?\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 R mal 13495 13494 204 249 30 3295280 87 - 15:33:28 ? 49:24 vi TEMP.a13347
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = '?';
$time = $5;
$process = $6;
$form_type=11;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 R root 9025 9024 8 180 20 2cc2300 29 - 11:50:10 ttyq2 0:00 /bin/ps -elf
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=12;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+(\w+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 21 T root 20309 6222 0 179 20 30c5d80 504 - Jun 12 ttyp8 0:00 emacs test
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=13;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\w+\s+\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 R sda 23585 23536 0 178 20 5080700 13 - Jul 20 pts/0 2:00 tail -f /elite/work/logs/online.log
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=14;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\-\s+\d+\:\d+\:\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 R sda 833 794 0 168 20 5594900 13 - 08:46:31 pts/0 0:01 tail -f /elite/work/logs/online.log
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=15;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 S root 6722 690 0 154 20 30ff100 8 41ebc4 Jun 9 pts/0 0:01 rlogind
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=16;
} elsif ($line =~ /^\d+\s+\w+\s+(\w+)\s+(\d+)\s+(\d+)\s+\d+\s+\d+\s+(\d+)\s+\w+\s+\d+\s+\w+\s+\d+\:\d+\:\d+\s+(\w+\/\d+)\s+(\d+\:\d+)\s+(.*)/) {
# in the form of:
# 1 S sda 23536 23534 0 158 20 4cfef00 118 25e9e00 18:18:19 pts/0 0:00 -sh
$user = $1;
$pid = $2;
$ppid = $3;
$nice = $4;
$tty = $5;
$time = $6;
$process = $7;
$form_type=17;
} else {
print "unknown pattern\n$_\n";
}
# time contains # of CPU minutes/seconds.
($min) = split /:/, $time; # Get just the minutes.
if ( ($min > $min_var) && # minutes > threshold
($user ne root) && # Not root
($process ne oninit) && # not Informix engine
($process ne "oninit -v") && # not Informix engine
($tty eq "?")
) {
push(@runaway,join(',',$user,$pid,$ppid,$nice,$tty,$time,$process));
}
}
close INPUT;
if (@runaway){
open(MAIL, "| $mail_cmd") || die "/usr/lib/sendmail not found ";
print MAIL "To: $maildest\n";
print MAIL "From: <$mailfrom>\n";
print MAIL "Subject: Possible runaway process on @{[`hostname` =~ /(.*)/]}\n";
printf MAIL "%10s %5s %5s %3d %5s %7s %-20s\n", 'user','PID','PPID','Nice','TTY','time','process';
foreach $key (@runaway) {
($user,$pid,$ppid,$nice,$tty,$time,$process) = split /,/, $key;
printf MAIL "%10s %5d %5d %3d %5s %7s %-20s\n", $user,$pid,$ppid,$nice,$tty,$time,$process;
}
close MAIL;
}
###############################################################################