tillo
Verified User
Names like "httpdse" are often malicious processes that, after being runned with a name like "perl se" try to change their command line to "httpd", but forget that the original string was longer, therefore "se" remains in the buffer creating "httpdse".
If it was a binary the /proc/<pid>/exe symlink would have pointed to the exact location of the malware, but since it is a script what you would see is "-> /usr/bin/perl" or "-> /usr/bin/php" or "-> /bin/bash", etc. Unfortunately, there is no easy way to know the exact location of a script while it's running.
Next time instead of killing it you should search its /proc/<pid> directory for clues.
What you can also do is attach to the process with "strace" and see what is it doing. With "htop" you just select the process and press "s".
If it was a binary the /proc/<pid>/exe symlink would have pointed to the exact location of the malware, but since it is a script what you would see is "-> /usr/bin/perl" or "-> /usr/bin/php" or "-> /bin/bash", etc. Unfortunately, there is no easy way to know the exact location of a script while it's running.
Next time instead of killing it you should search its /proc/<pid> directory for clues.
What you can also do is attach to the process with "strace" and see what is it doing. With "htop" you just select the process and press "s".
