Find PID of process
$ps aux | grep
Find out current working directory of the process 1213
$pwdx 1213 >> Output : 1213: /tmp/.abc
This seems to be someone try to hide process directory. You can then try to find out using..
$ls -l /proc/1213/cwd
lrwxrwxrwx 1 root root 0 Nov 20 04:35 /proc/1213/cwd -> /var/spool/mqueue
- Security Tip: Finding working directory of Process - November 20, 2007