1

Processes with arrows are from same cpanel account let say "charlie"

This account was under control of client.

Last week this server got blacklisted on emails because client run some perl script to send spam emails. (First two processes)

First two processes had same PID all the time so we killed the processes and spam emails stopped and never started again.

But last process with arrow PID changes all the time.

There is no such file on the server named "gbfcii.pl", there is no perl scripts in clients folders.

I have no idea how did they managed to do this?

enter image description here

again
  • 974
  • 8
  • 23
Ergec
  • 111
  • 3
  • what is output of /proc/15931/cmdline . and what is ppid for 15931? do you want to stop it? I am not clear about your question. – again Mar 15 '19 at 11:12
  • @again I was wondering if anyone ever seen something like this. i'm afraid that process is not there anymore. May be it was in memory and after a restart or something got wiped off. – Ergec Mar 15 '19 at 11:52
  • This can be happen. what you see was a portion of command. Though it looks file name. – again Mar 15 '19 at 11:55
  • You killed ppid but the process was in another shell. So after killing 1 pid took ownership. – again Mar 15 '19 at 11:55
  • 1
    An FYI, you can create a perl file, run it, and then delete it while it's still running without affecting the process. – Ben Poulson Mar 15 '19 at 13:42

1 Answers1

1

gbfcii.pl It is not a file name. It is a portion of the command. You may not find the file in filesystem. After you kill the perl shell this PID's parent changed to root process.

again
  • 974
  • 8
  • 23