I have a WordPress site sitting on a Docker container and which was infected by a malware. I noticed that when I try to remove the malware, it gets back again after a few seconds. When I run a process list, I can see a process 'sleep 3s' and which I am suspecting it checks if a malware file is present, and if not, downloads it again.
However I cannot find/kill the process which is calling this process because this container is not showing me the parent process. Additionally, the process changes its PID quickly.
What approach do you suggest to trace the parent malware doing the checks?
