• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

I've found a "sudo nobody find ./..." running on ps -aux - is this plesk or hacking

P

pcsousa

New Pleskian
Hello.

Runining ps -aux and top I've found a process running something like:
"sudo nobody find ./ ... /tmp ... etc"

I can not post here the full command and I can not remember very well because server reach a very high load and must be remote rebooted. Now is not there.

My question is: does plesk execute some kind of this commands somewhere (or any application used by plesk) or should I consider some compromised virtual host.

At this moment I've search /srv/www/vhosts/ directory for executable files and checked all wwwrun owned files (uploaded files) and found nothing relevant (at first sight), but all know how difficult is to detect what is good and bad. Also listed /tmp (/var/tmp is also /tmp and booth noexec, but we all know noexec is not solution for all) and found nothing relevant too, but plesk make lots of garbadge on this directory, so it is difficult to check what is system or external.

Any other ideas?

Thank you.
Regards.
 
Plesk doesnt run any kind of event through sudo like that. Id check your /etc/sudoers for references to the user "nobody" and your crontab's for any entries associated with sudo (/etc/crontab, /var/spool/cron, /etc/cron.daily, /etc/cron.hourly, /etc/cron.weekly).
 
Doubt it

I doubt that is any form of hacking the linux shell command ps -aux is the depricated form of ps -aux. This command lists off the active process threads on the system. I would guess it is a script parsing for some bit of information. It can be executed my any cron script or user with shell access. It is not dangerous at all.
 
You must log in or register to reply here.

Similar threads

A
Question Error Message Installing Plesk
Replies
1
Views
985
Kaspar@Plesk
Kaspar@Plesk
D
Issue Installing Rocket Chat in Plesk with Docker using tutorial, need an answer.
2
Replies
33
Views
5K
David Borrink
D
S
Issue Getting 404 Not Found NGINX error, not able to access plesk and website went down after update
Replies
2
Views
2K
Dave W
Dave W
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
malisaeed
Issue write (github.com): Connection refused: port 22
Replies
0
Views
2K
malisaeed
malisaeed
Back
Top