Lost in the Future <
j...@somewhere.org> wrote:
>> List of malicious processes:===============================
>>> wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL
>> [ ... ]
>>> Is wwwrun a user on my machine?
To answer your questions about that sort of stuff, we'd probably need a
bit more Info about your setup, such as which OS you are running
(Distro, version etc).
To check if you have an user named wwwrun on your Server, look in the
/etc/passwd file. An usual place to hide malware on a *nix-System is to
have it either completely located or called from the crontab of some
user. So also check the stuff found under the /var/cron/ directory
> It's a virtual server. It could even be that it's running on some giant
> piece of hardware somewhere, with hundreds of others.
your Hosting provider can figure out from what VM the traffic originated
> The ISP doesn't have an "account" but "plesk" is apparently the
> virtualization software, which apparently gives them considerable access
Plesk is an interesting choice for an hypervisor, especially since it
per default only includes Docker. I'd have expected it to run on
libvirt/KVM or Xen, or maybe VMware.
--
Johannes