Suspicious process running under user...
Last week a hacker injected malicious code in one of the websites in the server, in the following line:
/usr/bin/php /home/userxxx/public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php.
I deleted the plugin RevSlider in WordPress and installed the updated one, but I still receive 2 emails like this:
Email 1: /usr/bin/php /home/userxxx/public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php
Email 2: Excessive use of resources: User userxxx (32764 Process (Parent PID: 32473))
I receive these emails every 30 minutes or so.
I have checked and there is NO such files or folders in /public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php.
Why am I receiving these messages? How can I stop this nightmare?
Thank you so much for your helps.
Regards.
-
I have checked and there is NO such files or folders in /public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php.
Hello :) Have you reviewed the times associated with the messages to verify if they are older messages that were stored in the mail queue? Have you restarted Apache since the removal? Thank you.0 -
Hello, All the messages have the same (Parent PID:32473) They seem to be the same messages sent in intervals of time. In case I have to restart the Apache, how must I do that? Thank you so much for your support. 0 -
You can restart Apache via Web Host Manager if you prefer to not use the command line: "WHM Home " Restart Services " HTTP Server (Apache)" Also, you may want to access your server via SSH to verify if that process is still running. EX: ps aux|grep PID
Thank you.0 -
Great! I have already restarted Apache. That is very kind of you. Thank you for your help. Best regards. 0
Please sign in to leave a comment.
Comments
4 comments