How I Found a Hidden Reverse Shell Running as www-data (And What I Did About It) | by Faruk Ahmed | Jul, 2025
#www#data#bash#running
Faruk

Faruk @cyberwebpen

About: InfoSec Analyst | 10+ yrs in DLP, CrowdStrike, QRadar, Qualys, Linux Admin, WebLogic Admin | Python & Bash Enthusiast | Passionate about cybersecurity, automation, and continuous learning.

Joined:
Apr 27, 2025

How I Found a Hidden Reverse Shell Running as www-data (And What I Did About It) | by Faruk Ahmed | Jul, 2025

Publish Date: Jul 29
0 0

Member-only story

How I Found a Hidden Reverse Shell Running as www-data (And What I Did About It)

--

3

Share

Intro: Sometimes the most dangerous threats aren’t brute-force attacks or zero-day exploits. They’re quiet, persistent footholds hiding in plain sight. I once discovered a reverse shell silently running under the www-data user on my Ubuntu web server. Here’s how I found it — and exactly what steps I took to clean it up.

1. Something Just Felt Off

I noticed unusually high outbound traffic from the web server, even though there weren’t many visitors. My CPU usage was fine, but something wasn’t right.

2. I Ran ps aux | grep www-data 

ps aux | grep www-data
Enter fullscreen mode Exit fullscreen mode

This revealed a process like:

www-data 1234  0.0  0.1  23456  3456 ?  Ss   10:12   0:00 /bin/bash -i
Enter fullscreen mode Exit fullscreen mode

That’s not normal. The www-data user (used by Apache/Nginx) shouldn’t be running interactive shells.

3. Checked the Network Connections

I ran:

sudo lsof -i -nP | grep ESTABLISHED
Enter fullscreen mode Exit fullscreen mode

Output:

bash   1234 www-data   3u  IPv4  123456  0t0  TCP 192.168.1.10:4242 -> 103.82.121.45:4444 (ESTABLISHED)
Enter fullscreen mode Exit fullscreen mode

👉 Read Full Blog on Medium Here

Comments 0 total

    Add comment