0

I have a web server, due to an outdated Wordpress some hacker uploaded a webshell. Throught it, he launched a process but the ps command is not showing any name for the process:

root@serv ~ # ps aux|grep  " 326 "
us432   326  0.0  0.0  25032  4476 ?        S    Aug27   0:16       
root     3334  0.0  0.0  16656  2092 pts/2    S+   14:58   0:00 grep  326

Due to that fact I couldn't discover the problem until today.

The server OS is Debian 8, with Apache and PHP 7. The website is running under a non-privileged user.

I've search how to launch a process without name or how can I delete it's name during the execution but I didn't find anything.

Does anyone know how is this possible?

Thanks in advanced.

irusu2
  • 1
  • 2
    https://unix.stackexchange.com/questions/167490/how-can-a-process-appear-to-have-different-name-in-ps-output – Sven Sep 13 '18 at 15:16
  • 1
    while the duplicate link above wont directly help you it might help you prevent the issue the next time. additionally for your question itself this might help you understand how a process is named in linux, where you get the info from px aux etc, so you can check yourself what the process is. https://stackoverflow.com/questions/16165667/change-process-name-without-changing-argv0-in-linux – Dennis Nolte Sep 13 '18 at 15:17
  • Thanks for your responses, now I see how I can launch this kind of processes and therefore think in something to detect them. Regards. – irusu2 Sep 13 '18 at 15:46

1 Answers1

2

First, a suggestion: since you know the PID, use ps -p to list a specific PID. My standard, goto command is ps -fp <pid>.

I'm guessing the executable's name is made up of unprintable characters, just to make it hard to find or manipulate. (All characters are valid in file names on *nix; some of them are just hard to properly escape.) To display those hidden characters, try ps -fp 326 | cat -vet. I use the pneumonic device "take my cat to the vet" to remember those flags which display all unprintable characters. The same trick can be used with, for example, ls output to discover that the name of the file you can't delete ends with a tab character.

A. Ford
  • 21
  • 3
  • I didn't think about using those parameters of cat to check if the executable's name had unprintable characters. I will have it in account if the problem returns, thanks! – irusu2 Sep 14 '18 at 17:51