0

I have a LAMP server with about 50 virtual domains, and am using Webmin/Virtualmin to manage the server.

When looking at running processes (top) I see one domain's username is running a couple of perl processes, and ps gives me the full command line: perl /tmp/dd. Note that this domain is a wordpress installation.

There is no dd file in the /tmp directory, so I can't tell what it's doing. These processes have been running for about 3 days. I can't kill them with standard kill [pid], but must use kill -9.

Is this an exploit, or is it most likely part of webmin/virtualmin's maintenance scripts?

Ryan Griggs
  • 963
  • 2
  • 14
  • 29
  • 1
    That's pretty much malware. – Michael Hampton Feb 06 '19 at 16:03
  • @MichaelHampton can you give me any details? It's running under one of the site usernames, so it doesn't have free reign of the system. Just sending out spam apparently. Can you describe this malware? I'm assuming its attack vector was a wordpress vulnerability, but they were running the latest version. – Ryan Griggs Feb 06 '19 at 20:38
  • Nothing more than you've already given us. It's your server, after all. – Michael Hampton Feb 06 '19 at 20:48
  • @MichaelHampton never mind. I thought it might be a signature for a specific attack. – Ryan Griggs Feb 06 '19 at 20:53

0 Answers0