see this weird processes on my pi server (running under debian 12):
ps:
pi 2825 392 29.2 2447152 2409552 ? Ssl Apr21 4762:40 ./Ak24wYEx
lsof:
pi@pi5:~ $ sudo lsof -p 2825
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Ak24wYEx 2825 pi cwd DIR 179,2 4096 32 /tmp
Ak24wYEx 2825 pi rtd DIR 179,2 4096 2 /
Ak24wYEx 2825 pi txt REG 179,2 3005572 1327 /tmp/Ak24wYEx (deleted)
Ak24wYEx 2825 pi mem REG 0,15 24428 anon_inode:[io_uring] (stat: No such file or directory)
Ak24wYEx 2825 pi mem REG 0,15 24427 anon_inode:[io_uring] (stat: No such file or directory)
Ak24wYEx 2825 pi 0r FIFO 0,14 0t0 26072 pipe
Ak24wYEx 2825 pi 1w CHR 1,3 0t0 5 /dev/null
Ak24wYEx 2825 pi 2w CHR 1,3 0t0 5 /dev/null
Ak24wYEx 2825 pi 3r CHR 1,9 0t0 10 /dev/urandom
Ak24wYEx 2825 pi 4u a_inode 0,15 0 2070 [eventpoll:5,9,11,12,13,21]
Ak24wYEx 2825 pi 5u a_inode 0,15 0 24427 [io_uring]
Ak24wYEx 2825 pi 6u a_inode 0,15 0 24428 [io_uring]
Ak24wYEx 2825 pi 7r FIFO 0,14 0t0 24429 pipe
Ak24wYEx 2825 pi 8w FIFO 0,14 0t0 24429 pipe
Ak24wYEx 2825 pi 9r FIFO 0,14 0t0 24430 pipe
Ak24wYEx 2825 pi 10w FIFO 0,14 0t0 24430 pipe
Ak24wYEx 2825 pi 11u a_inode 0,15 0 2070 [eventfd:14]
Ak24wYEx 2825 pi 12u a_inode 0,15 0 2070 [eventfd:15]
Ak24wYEx 2825 pi 13u a_inode 0,15 0 2070 [eventfd:28]
Ak24wYEx 2825 pi 14u IPv4 1834 0t0 TCP localhost:52077 (LISTEN)
Ak24wYEx 2825 pi 15u netlink 0t0 1826 ROUTE
Ak24wYEx 2825 pi 16u IPv4 1835 0t0 UDP localhost:52077
Ak24wYEx 2825 pi 17u IPv6 1837 0t0 TCP localhost:52077 (LISTEN)
Ak24wYEx 2825 pi 18u IPv6 1838 0t0 UDP localhost:52077
Ak24wYEx 2825 pi 19r CHR 1,3 0t0 5 /dev/null
Ak24wYEx 2825 pi 20u IPv4 1840 0t0 UDP *:6771
Ak24wYEx 2825 pi 21u IPv4 348609 0t0 TCP pi.hole:58872->static.88-198-117-174.clients.your-server.de:19999 (ESTABLISHED)
Ak24wYEx 2825 pi 28r CHR 1,9 0t0 10 /dev/urandom
Ak24wYEx 2825 pi 30u IPv4 5943 0t0 TCP pi.hole:52077 (LISTEN)
Ak24wYEx 2825 pi 31u IPv4 5944 0t0 UDP pi.hole:52077
Ak24wYEx 2825 pi 32u IPv4 5957 0t0 UDP pi.hole:59460
Ak24wYEx 2825 pi 33u IPv4 5958 0t0 UDP pi.hole:1900
Ak24wYEx 2825 pi 34u IPv4 5959 0t0 UDP pi.hole:58420
Ak24wYEx 2825 pi 35u IPv6 5960 0t0 UDP *:6771
Ak24wYEx 2825 pi 36u IPv4 5961 0t0 UDP *:6771
Ak24wYEx 2825 pi 37u IPv6 6041 0t0 TCP pi.hole:52077 (LISTEN)
Ak24wYEx 2825 pi 38u IPv6 6042 0t0 UDP pi.hole:52077
Ak24wYEx 2825 pi 39u IPv6 6044 0t0 UDP *:6771
Ak24wYEx 2825 pi 42u sock 0,9 0t0 24210 protocol: TCP
Ak24wYEx 2825 pi 43u IPv4 24212 0t0 TCP pi.hole:42821->104.21.32.1:http (CLOSE_WAIT)
Ak24wYEx 2825 pi 44u sock 0,9 0t0 24211 protocol: TCPv6
Ak24wYEx 2825 pi 50u sock 0,9 0t0 24213 protocol: TCPv6
pi@pi5:~ $
asked guys on pi-hole forum - its unlikely that pi-hole would run process from another user.
for now I just have a script in cron which kill such processes periodically (btw, other that this script there is nothing else in crontab).
but how can I guess which process running this one?
It is not uncommon to see this especially if a process may have 100 files, sockets, pipes, or devices open, you'll see 100 lines with the same PID. You can understand what is happening if you read last two columns together, for instance you are receiving (or listening as your log says) UDP packets at localhost:52077. 52077 is the number port dedicated for receiving TCP/UDP packets.