All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
track unknown "Host" process eating CPU on VPS
Hi All geeks,
Have been running a 4GB/SSD Cached VPS with RAMNODE with VestaCP and 4-5 high visit wordpress sites. The Server is performing great with minimal load, till today night it was suddenly suspended by Ramnode saying it spiked on the CPU.
Attached is the Screenshot
Ramnode put up the server back on my request, I rebooted and checked thoroughly but couldn't find it to run again even though I had been running "top" for 1 hour.
I'm the sole operator of this server, a possible breach is very minimum of a chance.
Possible reasons that come into my mind:
1. may have left a VNC session in between
2. VestaCP daily backup (7GB+) might be causing some outage.
But Ramnode said they have seen "host" on other compromised Servers before, so I'm worried if some trojan is really there. Can you help me trace and resolve this?
I've changed root password already, any other recommendations ?
Thanks a ton in advance...
Comments
Clamscan the entire server, I would.
ClamAV.
readlink /proc/16986/cwd
Will tell you exactly where it is so you can delete it. Find it very handy to find where people are running programs like CPU miners on our servers.
I've never seen a file called host running, seems a bit iffy.
It's possible it could be a virus, I'd double check with ClamAV but as a last resort I'd probably reinstall my VPS to make sure it was completely gone, then restore my sites to avoid any chance it could be anything malicious but its upto you, however you could follow what SNetworks1 said, never done it personally though
Check for any funny outbound or inbound traffic...
host is a command that translate domain / subdomains to their respective IP addresses. I don't see how it can hog the CPU, so there's definitely something fishy going on.
It's an outgoing DDOS attack or wp-login brute-force, I'd bet on it as I've seen it many times.
ClamScan/maldet the entire server but since it's not a shared server, your best bet is to re-image with a different password.
Locate the file as @SNetworks1 says and generate an MD5 for the file and confirm it against malware databases.
You could also strace it so whats happening
(Edit -should be) Nothing to worry about... it is possibly Vesta trying to update via its preset cron jobs (i've had these in the past).... try removing them and it will be back alright
Make sure you have updated VestaCP AND all Wordpress+plugins instances. Also, use "hosting" as a preset for each domain in your VestaCP panel (under the apache/nginx select). Check their documentation for virtual hosting.
Yes Updated VESTA CP and everything.
Ran ClamAV on full server and it reported some malicious files in an old Wordpress Site which I recently moved on to this server.
I went on to the wp-admin, it was reported some script errors out of update messages. Updates all Core/theme/plugins... the warning/errors went away. However running Clam this directory again gave me
/home/admin/web/shamarahman.me/public_html/wp-content/themes/Divine/wp-conf.php: PHP.Shel$
/home/admin/web/shamarahman.me/public_html/wp-includes/certificates/general.php: Php.Troj$
I checked thoroughly and inside the WordPress folder there are some malicious code files
I've installed wordfence and giving it a thorough scan... its showing problem on core WP files, the site is definitely compromised.
Will keep informed... any pointers in the right direction are truly appreciated./
Wipe and restore from backup is the best option.
+1 or rebuild using a pages/post export and new theme if the theme is compromised.
I have it resolved... Keeping a watch though!
Installed and scanned using Wordfence, it corrected some core files.
Installed and scanned with Sucuri.
Manually Deleted some malicious files from within the WP folder.
Scanned again with Wordfence -- CLEAN
Scanned again with CLAM AV -- CLEAN.
We are good to go now.
Thanks @MSPNick... after years of Linux, I learnt to use an Antivirus on it
---- always learning !
Above all, as an Admin, learn to patiently check and resolve, not panic and go haywire! A systamatic approach and "Good forum mates" will always make you win
Glad to see that you had it solved.
i'd be you though, I'd reinstall a fresh/clean system, set up new software and load the sites again on that setup.
If you backup all config files, it can be quite fast to do...
Good luck mate