This rule identifies potentially malicious activity on Linux web servers where common web server user accounts are observed executing interactive shells via suspicious processes. This typically indicates exploitation attempts, such as webhook tampering, leading to unauthorized access and providing a foothold for attackers. Specific actions to investigate include capturing command-line execution details, correlating activity with web logs to discover abnormal calls, and monitoring network connections from the affected container for suspicious outbound traffic. In cases of confirmed malicious activity, immediate isolation of the compromised container, evidence preservation, and thorough remediation steps, including redeployment from a secure image, are advised.