CPU 100%

Oualid

• January 14, 2018 05:00

if i check TOP i have : PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 28973 walisit+ 20 0 814704 19888 4344 S 350.2 0.1 2387:25 QRYF
In WHM top process i have this : /home/walisit231/public_html/wp-admin/images/QRYF -a cryptonight -o stratum+tcp://mine.sumo.example.com:5555 -u Sumoo1rDNRshoJnVgCSAvw1mk89bi3czydD9n2tg7eaKQ83biSUAcU4ZaLHSyKeYQuCcSKrVXgykaTNmZAQdwmYzc4e7qV5MGGc.d31bcbe8b363017b61db3f993be19b092b799f0d1478bd57e222b025641ab931+worker42
I have remove QRYF file in "/home/walisit231/public_html/wp-admin/images/" but the problem is the same !

• 

  rpvw

  • January 14, 2018 11:12

  The words cryptonight and a URI with the word mine in it,together with the high CPU load and the unusual call to TCP port 5555 would make me very suspicious that this WordPress site has either installed one of the many cryptocurrency mining Plugins, **OR** has been compromised and was now running (not so) hidden cryptocurrency mining scripts. You will probably get more help from the WordPress forums, and from the following links Network Attacks Containing Cryptocurrency CPU Mining Tools Grow Sixfold

  0
• 

  Dryandra

  • January 14, 2018 23:26

  Check /tmp directory and remove all files owned by user walisit231.

  0
• 

  cPWilliamL

  • January 16, 2018 17:49

  As @rpvw pointed out, it appears your account may be compromised and is being used to mine cryptocurrencies. @Dryandra, when investigating compromises, we should not jump to deleting files first. Forensics should be performed first to help determine the point of compromise, then the malicious code should be removed/disabled.

  0

Please sign in to leave a comment.