> From: "Dan Kaminsky" <dankamin at cisco.com>
>
> $ ps -ef | grep sshd
> root 285 1 0 Nov 15 ? 0:03 /usr/local/sbin/sshd
> root 23740 285 0 16:13:18 ? 0:00 /usr/local/sbin/sshd
> root 23875 285 0 16:28:14 ? 0:00 /usr/local/sbin/sshd
> user 23905 23899 0 16:28:31 pts/3 0:00 grep sshd
> $ ls /usr/local/sbin
> /usr/local/sbin: No such file or directory
> $ date
> Wed Mar 21 16:28:50 PST 2001
> $ telnet 127.0.0.1 22
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_2.2.0p1
>
> [Explanation: Unix loads executables into system memory before running
> them, so once the process is started--even if it'll eventually
fork--the
> original executable on the file system can be safely modified or destroyed
> without existing processes or daemons even noticing. There is no time
limit
> to how long a process or a daemon can run straight from memory, and in this
> case, up to five months went by without any binary existing on the file
> system.
Explanation 2 :
UNIX doesn't unmap inodes until all references to them are gone.
"rm" a file,
but something still has it open, and the directory entry is gone, but the file
isn't.