Strange process running

Question

I just mentioned that one user starts a process which is called "httpd".

31712 ftp_johndoe  20   0 35988  8828  1460 S 14.0  0.0  1h50:31 httpd
28616 ftp_johndoe  20   0 5304M 43936 35080 S  4.0  0.2  0:02.72 /usr/bin/php5-cgi -c /var/www/vhosts/system/johndoe.net/etc/php.ini
31711 ftp_johndoe  20   0 35808  8608  1460 S  1.0  0.0  1h51:15 httpd

Well, I wondered why the process is called "httpd", because on debian apache starts no processes called "httpd".

If I lsof it I'm getting the following results:

httpd     28868            ftp_johndoe  txt       REG              253,0     10456   12335127 /usr/bin/perl
httpd     28868            ftp_johndoe  mem       REG              253,0     22952   12335108 /usr/lib/perl/5.14.2/auto/File/Glob/Glob.so
httpd     28868            ftp_johndoe  mem       REG              253,0    109888   12335102 /usr/lib/perl/5.14.2/auto/POSIX/POSIX.so
httpd     28868            ftp_johndoe  mem       REG              253,0     18672   12335109 /usr/lib/perl/5.14.2/auto/Fcntl/Fcntl.so
httpd     28868            ftp_johndoe  mem       REG              253,0     39256   12980353 /usr/lib/perl5/auto/Socket/Socket.so
httpd     31712            ftp_johndoe   63u     IPv4          520937935       0t0        TCP server.name.com:38504->64.233.165.26:smtp (ESTABLISHED)
httpd     31712            ftp_johndoe   67u     IPv4          520937969       0t0        TCP server.name.com:38536->64.233.165.26:smtp (ESTABLISHED)
httpd     31712            ftp_johndoe   73u     IPv4          520937951       0t0        TCP server.name.com:38520->64.233.165.26:smtp (ESTABLISHED)

So I guess this is malware. But how can I find the script that starts the httpd process?

ColOfAbRiX · Accepted Answer · 2015-05-01T13:24:32.183

0

You can start finding the executable using

ls -l /proc/<PID>/exe

Then you can find who created it (the parent PID) with

ps -p <PID> -o ppid=

And search until you find the starting point.

You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files

UPDATE: I just reminded of a program called snoopy that

Snoopy is a tiny library that logs all executed commands (+ arguments) on your system.

It could very useful to use it to check the command execution

This is not a complete solution, I'm aware there are simple ways to circumvent this. Hopefully someone with more experience than me we'll be more helpful

edited May 01 '15 at 13:24

answered May 01 '15 at 13:18

ColOfAbRiX

1,080
2
12
23

`pstree` will draw a diagram of a proces tree (automating some of what you describe). Try `pstree -upaA`. See man page for more details. – Paul Haldane May 01 '15 at 13:45
I know, but I wanted to learn myself how to do it manually! Thanks anyway – ColOfAbRiX May 01 '15 at 14:01
Thanks a lot - with your help I was able to delete the script :-) – MyFault May 03 '15 at 21:10

Strange process running

1 Answers1