Know where the files are in the processes
Hello,
There are some malicious processes on the server (see image) and I would like to know where is the file that is not running so I can delete it.
How can I find that out?
thanks
-
Quickest way is to do a ps I think: ps -ef |grep python 0 -
Hello, Thanks for the answer. It appears, as you can see in the image, but I was wondering where the port2.py, send.py and reverseping.py file is so that I could delete it, and it doesn't show the path of the file that is being executed. thanks 0 -
Ah yes, sorry. WOW, lot of bad activities going on with your server! You can see files opened by a given process with lsof -p PID. So fx. that would be lsof -p 4081 BUT - You can also see that parent of 4081 is 3719 which is a shell script running curl, downloading a script, which is unzipped and executed. Seems as both account contabil and cartucha is compromised. You may also want to run ImunifyAV - which is now included in your cPanel license - to find malware and malicious files 0 -
Hello, Thanks for the answer. I found, it seems that the client's website is with some vulnerability that places the file in the / tmp / directory and executes the file (see attached image) As I am going to have to ask the customer to check, is there any way I can prevent this from happening until the customer asks to check his website? thanks 0 -
So that process that's running is not reverseping.py it's reversebing.py and it looks like you found lsof which would give you exactly what you need. 0 -
Hello, Yes, but what I wanted to know is if you can block these processes on the server until the client checks for vulnerabilities on his website. thanks 0 -
Ok, that's not what you asked at all so I believe I am confused. It's a lot more difficult to block the process from running than it is to just outright remove the file executing it or change its permissions to 000 0
Please sign in to leave a comment.
Comments
7 comments