If your find supports -ls and there is some deleted exectutable running, then this command
sudo find /proc -name exe ! -path "*/task/*" -ls 2>/dev/null | grep ' (deleted)$'will probably generate a line that ends like this example:
… /proc/9956/exe -> /path/to/executable\ (deleted)This means the process with PID 9956 is executing /path/to/executable which is now deleted.
Notes:
-lsis not required by POSIX. Yourfindmay or may not support it, or it may support it but generate output in a different format.- An existing running executable named
anything (deleted)will generate a false positive.