I've found a "sudo nobody find ./..." running on ps -aux - is this plesk or hacking

[pcsousa]

Hello.

Runining ps -aux and top I've found a process running something like:
"sudo nobody find ./ ... /tmp ... etc"

I can not post here the full command and I can not remember very well because server reach a very high load and must be remote rebooted. Now is not there.

My question is: does plesk execute some kind of this commands somewhere (or any application used by plesk) or should I consider some compromised virtual host.

At this moment I've search /srv/www/vhosts/ directory for executable files and checked all wwwrun owned files (uploaded files) and found nothing relevant (at first sight), but all know how difficult is to detect what is good and bad. Also listed /tmp (/var/tmp is also /tmp and booth noexec, but we all know noexec is not solution for all) and found nothing relevant too, but plesk make lots of garbadge on this directory, so it is difficult to check what is system or external.

Any other ideas?

Thank you.
Regards.

 

[atomicturtle]

Plesk doesnt run any kind of event through sudo like that. Id check your /etc/sudoers for references to the user "nobody" and your crontab's for any entries associated with sudo (/etc/crontab, /var/spool/cron, /etc/cron.daily, /etc/cron.hourly, /etc/cron.weekly).

 

[kessler]

Doubt it

I doubt that is any form of hacking the linux shell command ps -aux is the depricated form of ps -aux. This command lists off the active process threads on the system. I would guess it is a script parsing for some bit of information. It can be executed my any cron script or user with shell access. It is not dangerous at all.

 

[atomicturtle]

Except its running through sudo, and he doesn't know how it got there of course.