Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

track unknown "Host" process eating CPU on VPS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

track unknown "Host" process eating CPU on VPS

mehargagsmehargags Member
in Help

Hi All geeks,
Have been running a 4GB/SSD Cached VPS with RAMNODE with VestaCP and 4-5 high visit wordpress sites. The Server is performing great with minimal load, till today night it was suddenly suspended by Ramnode saying it spiked on the CPU.

Attached is the Screenshot

Ramnode put up the server back on my request, I rebooted and checked thoroughly but couldn't find it to run again even though I had been running "top" for 1 hour.

I'm the sole operator of this server, a possible breach is very minimum of a chance.

Possible reasons that come into my mind:
1. may have left a VNC session in between
2. VestaCP daily backup (7GB+) might be causing some outage.

But Ramnode said they have seen "host" on other compromised Servers before, so I'm worried if some trojan is really there. Can you help me trace and resolve this?

I've changed root password already, any other recommendations ?

Thanks a ton in advance...

Comments

  • MSPNickMSPNick Member

    Clamscan the entire server, I would.

    ClamAV.

  • SNetworks1SNetworks1 Member

    readlink /proc/16986/cwd

    Will tell you exactly where it is so you can delete it. Find it very handy to find where people are running programs like CPU miners on our servers.

  • sc754sc754 Member

    I've never seen a file called host running, seems a bit iffy.

  • HyperSpeedHyperSpeed Member

    It's possible it could be a virus, I'd double check with ClamAV but as a last resort I'd probably reinstall my VPS to make sure it was completely gone, then restore my sites to avoid any chance it could be anything malicious but its upto you, however you could follow what SNetworks1 said, never done it personally though

  • linuxthefishlinuxthefish Member

    Check for any funny outbound or inbound traffic...

  • blackblack Member

    host is a command that translate domain / subdomains to their respective IP addresses. I don't see how it can hog the CPU, so there's definitely something fishy going on.

  • nunimnunim Member
    edited November 2014

    It's an outgoing DDOS attack or wp-login brute-force, I'd bet on it as I've seen it many times.

    ClamScan/maldet the entire server but since it's not a shared server, your best bet is to re-image with a different password.

  • MarkTurnerMarkTurner Member

    Locate the file as @SNetworks1 says and generate an MD5 for the file and confirm it against malware databases.

    You could also strace it so whats happening

  • kkrajkkkrajk Member
    edited November 2014

    (Edit -should be) Nothing to worry about... it is possibly Vesta trying to update via its preset cron jobs (i've had these in the past).... try removing them and it will be back alright

  • BlanozBlanoz Member
    edited November 2014

    Make sure you have updated VestaCP AND all Wordpress+plugins instances. Also, use "hosting" as a preset for each domain in your VestaCP panel (under the apache/nginx select). Check their documentation for virtual hosting.

  • mehargagsmehargags Member

    Yes Updated VESTA CP and everything.
    Ran ClamAV on full server and it reported some malicious files in an old Wordpress Site which I recently moved on to this server.
    I went on to the wp-admin, it was reported some script errors out of update messages. Updates all Core/theme/plugins... the warning/errors went away. However running Clam this directory again gave me
    /home/admin/web/shamarahman.me/public_html/wp-content/themes/Divine/wp-conf.php: PHP.Shel$
    /home/admin/web/shamarahman.me/public_html/wp-includes/certificates/general.php: Php.Troj$

    I checked thoroughly and inside the WordPress folder there are some malicious code files

    404.php             footer.php      index.php           page.php               single.php
LOGO                functions.php   intro.php           pagenavi-css.css       style.css
archive.php         header.php      languages           readme.txt             wp-conf.php
changelog.txt       **hostdata10.php**  lib                 screenshot.png         wp-query.php
comments.php        **hostdata11.php**  lndex.php           search.php
content-after.php   images          loop-page.php       searchform.php
content-before.php  inc.php         loop.php            sidebar-primary.php
**datahost5.php **      includes        onecolumn-page.php  sidebar-secondary.php

    I've installed wordfence and giving it a thorough scan... its showing problem on core WP files, the site is definitely compromised.

    Will keep informed... any pointers in the right direction are truly appreciated./

  • 0xdragon0xdragon Member

    @mehargags said:
    Yes Updated VESTA CP and everything.
    Ran ClamAV on full server and it reported some malicious files in an old Wordpress Site which I recently moved on to this server.
    I went on to the wp-admin, it was reported some script errors out of update messages. Updates all Core/theme/plugins... the warning/errors went away. However running Clam this directory again gave me
    /home/admin/web/shamarahman.me/public_html/wp-content/themes/Divine/wp-conf.php: PHP.Shel$
    /home/admin/web/shamarahman.me/public_html/wp-includes/certificates/general.php: Php.Troj$

    I checked thoroughly and inside the WordPress folder there are some malicious code files

    404.php footer.php index.php page.php single.php
    LOGO functions.php intro.php pagenavi-css.css style.css
    archive.php header.php languages readme.txt wp-conf.php
    changelog.txt hostdata10.php lib screenshot.png wp-query.php
    comments.php hostdata11.php lndex.php search.php
    content-after.php images loop-page.php searchform.php
    content-before.php inc.php loop.php sidebar-primary.php
    **datahost5.php ** includes onecolumn-page.php sidebar-secondary.php

    I've installed wordfence and giving it a thorough scan... its showing problem on core WP files, the site is definitely compromised.

    Will keep informed... any pointers in the right direction are truly appreciated./

    Wipe and restore from backup is the best option.

  • wychwych Member

    @0xdragon said:
    Wipe and restore from backup is the best option.

    +1 or rebuild using a pages/post export and new theme if the theme is compromised.

  • mehargagsmehargags Member

    I have it resolved... Keeping a watch though!

    Installed and scanned using Wordfence, it corrected some core files.
    Installed and scanned with Sucuri.
    Manually Deleted some malicious files from within the WP folder.

    Scanned again with Wordfence -- CLEAN
    Scanned again with CLAM AV -- CLEAN.

    We are good to go now.

    Thanks @MSPNick... after years of Linux, I learnt to use an Antivirus on it :lol:
    ---- always learning !

    Above all, as an Admin, learn to patiently check and resolve, not panic and go haywire! A systamatic approach and "Good forum mates" will always make you win

  • ben78ben78 Member

    Glad to see that you had it solved.

    i'd be you though, I'd reinstall a fresh/clean system, set up new software and load the sites again on that setup.

    If you backup all config files, it can be quite fast to do...

    Good luck mate :)

This discussion has been closed.