Member-only story
How I Found a Hidden Reverse Shell Running as www-data (And What I Did About It)
--
3
Share
Intro: Sometimes the most dangerous threats aren’t brute-force attacks or zero-day exploits. They’re quiet, persistent footholds hiding in plain sight. I once discovered a reverse shell silently running under the www-data user on my Ubuntu web server. Here’s how I found it — and exactly what steps I took to clean it up.
1. Something Just Felt Off
I noticed unusually high outbound traffic from the web server, even though there weren’t many visitors. My CPU usage was fine, but something wasn’t right.
2. I Ran ps aux | grep www-data
ps aux | grep www-data This revealed a process like:
www-data 1234 0.0 0.1 23456 3456 ? Ss 10:12 0:00 /bin/bash -i That’s not normal. The www-data user (used by Apache/Nginx) shouldn’t be running interactive shells.
3. Checked the Network Connections
I ran:
sudo lsof -i -nP | grep ESTABLISHED Output:
bash 1234 www-data 3u IPv4 123456 0t0 TCP 192.168.1.10:4242 -> 103.82.121.45:4444 (ESTABLISHED) 
Top comments (0)