Who is 1014? I have no user on my system named 1014, so why is this httpd process run as 1014?

security httpd centos ps

Solution 1:

Every user has a numeric id as well as a name. This is probably an account created when the httpd server was installed. Have you tried grepping for it?

grep 1014 /etc/passwd

Solution 2:

Sl+ and R+ is the state of the processes, and it means the following

R - running or runnable (on run queue)
S - interruptible sleep (waiting for an event to complete)
l - is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
+ - is in the foreground process group.

If you didn't start this process yourself, it looks like someone has started it and it is running in the foreground somewhere.

1014 is an uid on the system.

If this is an unknown uid to you, you should definitely start checking out the possibilities that your system is hacked. Look into chkrootkit and rkhunter to check for suspicious files on your system.

Solution 3:

Either you have a user named '1014' or the entry in /etc/passwd for the user with uid 1014 has been deleted. By all means check in /etc/passwd - but I suspect the latter scenario is more likely.

Any server process listening on a reserved port must be started by root - it then downgrades to a different user. If you run 'ps -ef' then you'll be able to get the parent process for the stuff you're concerned about. If it was started by root, then you can start to get more worried. From the /proc/<pid>/ files you'll be able to see all sorts of stuff - like exactly where './bin/httpd' is.

The -X option for apache (if this is Apache) runs a single worker and the process does not daemonize (stays associated with the pty where it was started from). If /proc/<pid>/exe does not point to a file supplied with your isntallation, then you may be able to find out more about it by running 'strings' against the executable.

If it is malicious, and someone is covering their tracks by deleting a passwd entry, then they may have deleted the file/directory containing the webserver (but the actual contents of the file / directory remain on the disk, hidden, while they are still in use (see /proc/<pid>/fd)

You should also be able to see what port it's listening on from netstat -na (hence you could try pointing a browser at it).

If you have reason to suspect it is malicious, then see How do I deal with a compromised server?

Solution 4:

May be worth searching the filesystem to see what files if any are owned by this user.

find / -user 1014 -type f | xargs ls -l

Related

Store system passwords with easy and secure access
How to secure memcached?
Fail to mount image files in windows server 2012
Ram recommendations vs SQL DB size
Server freeze - how to debug
HTTP/1.1 Status Codes 400 and 417, cannot choose which
Flash Backed Write Cache (FBWC) without capacitor pack
Install xdebug for php 5.3.17 on centos 6.3 (final)
TCP connection stuck in SYN_RECV state despite ACK received, Linux 2.6.18, embedded, ARM
Is this IPv4 and subnet combination public or private? [duplicate]
If a managed network switch were to overheat, would you consider it no longer reliable?
How to 'undeclare' a custom function in a loop