Who is 1014? I have no user on my system named 1014, so why is this httpd process run as 1014?
Solution 1:
Every user has a numeric id as well as a name. This is probably an account created when the httpd server was installed. Have you tried grepping for it?
grep 1014 /etc/passwd
Solution 2:
Sl+
and R+
is the state of the processes, and it means the following
R
- running or runnable (on run queue)S
- interruptible sleep (waiting for an event to complete)l
- is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)+
- is in the foreground process group.
If you didn't start this process yourself, it looks like someone has started it and it is running in the foreground somewhere.
1014 is an uid on the system.
If this is an unknown uid to you, you should definitely start checking out the possibilities that your system is hacked. Look into chkrootkit
and rkhunter
to check for suspicious files on your system.
Solution 3:
Either you have a user named '1014' or the entry in /etc/passwd for the user with uid 1014 has been deleted. By all means check in /etc/passwd - but I suspect the latter scenario is more likely.
Any server process listening on a reserved port must be started by root - it then downgrades to a different user. If you run 'ps -ef' then you'll be able to get the parent process for the stuff you're concerned about. If it was started by root, then you can start to get more worried. From the /proc/<pid>/
files you'll be able to see all sorts of stuff - like exactly where './bin/httpd' is.
The -X option for apache (if this is Apache) runs a single worker and the process does not daemonize (stays associated with the pty where it was started from). If /proc/<pid>/exe
does not point to a file supplied with your isntallation, then you may be able to find out more about it by running 'strings' against the executable.
If it is malicious, and someone is covering their tracks by deleting a passwd entry, then they may have deleted the file/directory containing the webserver (but the actual contents of the file / directory remain on the disk, hidden, while they are still in use (see /proc/<pid>/fd
)
You should also be able to see what port it's listening on from netstat -na (hence you could try pointing a browser at it).
If you have reason to suspect it is malicious, then see How do I deal with a compromised server?
Solution 4:
May be worth searching the filesystem to see what files if any are owned by this user.
find / -user 1014 -type f | xargs ls -l