0

I have a web server, due to an outdated Wordpress some hacker uploaded a webshell. Throught it, he launched a process but the ps command is not showing any name for the process:

root@serv ~ # ps aux|grep  " 326 "
us432   326  0.0  0.0  25032  4476 ?        S    Aug27   0:16       
root     3334  0.0  0.0  16656  2092 pts/2    S+   14:58   0:00 grep  326

Due to that fact I couldn't discover the problem until today.

The server OS is Debian 8, with Apache and PHP 7. The website is running under a non-privileged user.

I've search how to launch a process without name or how can I delete it's name during the execution but I didn't find anything.

Does anyone know how is this possible?

Thanks in advanced.

irusu2
  • 1

1 Answers1

2

First, a suggestion: since you know the PID, use ps -p to list a specific PID. My standard, goto command is ps -fp <pid>.

I'm guessing the executable's name is made up of unprintable characters, just to make it hard to find or manipulate. (All characters are valid in file names on *nix; some of them are just hard to properly escape.) To display those hidden characters, try ps -fp 326 | cat -vet. I use the pneumonic device "take my cat to the vet" to remember those flags which display all unprintable characters. The same trick can be used with, for example, ls output to discover that the name of the file you can't delete ends with a tab character.

A. Ford
  • 21