4
[root@home ~]# ps au | grep httpd
1014      9701  0.0  0.2 281620  3124 pts/24   Sl+  18:41   0:00 ./bin/httpd -X
root      9742  0.0  0.0   3084   720 pts/22   R+   18:45   0:00 grep httpd

By the way, what do Sl+ and R+ mean? Is 1014 a hacker? Why is it on my system? what privilege does it have? Can it destroy my system, or do any harm?

@Peter Westlake cat /etc/passwd | grep 1014 hugemeow:x:1014:1014::/home/hugemeow:/bin/bash the issue is why ps au not shows the name? but show its number?

giantforest
  • 239
  • 1
  • 4
  • 15
  • It immediately looks suspicious, you should definitely investigate it further. Did you start this process? Is it listening on any ports? – pkhamre Aug 16 '12 at 10:54
  • I concur that it looks weird: the web server process typically isn't started with the command `./bin/httpd -X`. Also, http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – cjc Aug 16 '12 at 11:04
  • Check where it's from or where it's running by looking at /proc/9701/exe and /proc/9701/cwd – ott-- Aug 16 '12 at 13:41
  • And look at `netstat -tap` to see if it has open/listen connections. – ott-- Aug 16 '12 at 13:43
  • @pkhamre how to know which port this process listens to, netstat -nap| grep 1014? – giantforest Aug 16 '12 at 15:05
  • What does 'id hugemeow' return? – Grant Aug 16 '12 at 15:41

4 Answers4

3

Every user has a numeric id as well as a name. This is probably an account created when the httpd server was installed. Have you tried grepping for it?

grep 1014 /etc/passwd
Peter Westlake
  • 806
  • 2
  • 6
  • 17
3

Sl+ and R+ is the state of the processes, and it means the following

R - running or runnable (on run queue)
S - interruptible sleep (waiting for an event to complete)
l - is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
+ - is in the foreground process group.

If you didn't start this process yourself, it looks like someone has started it and it is running in the foreground somewhere.

1014 is an uid on the system.

If this is an unknown uid to you, you should definitely start checking out the possibilities that your system is hacked. Look into chkrootkit and rkhunter to check for suspicious files on your system.

pkhamre
  • 5,900
  • 3
  • 15
  • 27
2

Either you have a user named '1014' or the entry in /etc/passwd for the user with uid 1014 has been deleted. By all means check in /etc/passwd - but I suspect the latter scenario is more likely.

Any server process listening on a reserved port must be started by root - it then downgrades to a different user. If you run 'ps -ef' then you'll be able to get the parent process for the stuff you're concerned about. If it was started by root, then you can start to get more worried. From the /proc/<pid>/ files you'll be able to see all sorts of stuff - like exactly where './bin/httpd' is.

The -X option for apache (if this is Apache) runs a single worker and the process does not daemonize (stays associated with the pty where it was started from). If /proc/<pid>/exe does not point to a file supplied with your isntallation, then you may be able to find out more about it by running 'strings' against the executable.

If it is malicious, and someone is covering their tracks by deleting a passwd entry, then they may have deleted the file/directory containing the webserver (but the actual contents of the file / directory remain on the disk, hidden, while they are still in use (see /proc/<pid>/fd)

You should also be able to see what port it's listening on from netstat -na (hence you could try pointing a browser at it).

If you have reason to suspect it is malicious, then see How do I deal with a compromised server?

Community
  • 1
symcbean
  • 19,931
  • 1
  • 29
  • 49
1

May be worth searching the filesystem to see what files if any are owned by this user.

find / -user 1014 -type f | xargs ls -l

Gareth Williams
  • 41
  • 4