In your SSH, as root, run:
Code: Select all
lsof -i -n | grep php- 1111.jpeg (269.42 KiB)
Here we see that PHP running by the user "redcella" is making outgoing http/https connections to outside.
Now open Apache status, to find what site is under that account:
- open-status.png (71.13 KiB)
Click on "WEB"
Ctrl+F "redcella"
- apache-status.png (300.13 KiB)