OK I have applied that to all websites. Hopefully now I should see the different username than www-data. is that right ?
There are more suggestions on what to do when you google: +"httpd.pl" Onse suexec is enabled and you see which user is running httpd.pl you can find last modiffied/created files in that account. And clean it, but it will get re-infected if you will not set all folders and files immutable bit (chattr -R +i /path/to/user/website/dir/), once done files will not be able to modify or create, some script functions may break. To remove protection, replace +i by -i Another solution is to backup mysql of the infected account and backup files. Then delete whole infected account, create new, install content management system (same version as the infected one) and apply your mysql, then update content management system. Backup regularly as bad bots will try to infect you again and abuse you.
