Hi.
I have a cPanel account that has been using 100% CPU. Htop says the command is /www/vhosts but that path does not exist. Nixstats says netns is using 100% CPU. Clamav doesn’t help at all.
When the account is active, load goes to 200+
I’ve already deleted malicious code found manually.
Hmm. Might be a process masking the command line. Not sure if there’s a way to do this through htop, top, ps, etc. but you can get the PID (number usually shown in the first column in htop) then do ls -l /proc/1234/exe (where 1234 is the PID) and you’ll be able to see the path of the executable.
Go to the cPanel account and then go to CPU and Concurrent Connection Usage - it’ll show you snapshots of processes that are being ran when the account is maxing out on CPU. This will be more accurate than what is shown on top and go down to a specific PHP file (if it’s PHP).
From there you can delete whatever it is and then go into WHM and kill the processes on the account, or have the host do it for you.
If it’s a simple html+php website, backup the website, check all files and clean what needs to be cleaned, delete cPanel account, create a new one and upload the clean backup.
In case of wordpress, download the list of plugin/theme names, screenshot all the settings, backup the post and postmeta database tables.
Again, new cPanel account, install a fresh WP installation and recreate the website.
Also make sure to find how in the hell the website was hacked to begin with…
Maybe change to a webhosting that offers Imunify360 like MightWeb, and put the website behind CloudFlare. It’s still hackable but it would throw away any newbies and most likely automated tools too.
Manually deleting files can be hard because malware authors are getting good at hiding things. You’ll want to manually inspect pretty much every file and folder (including hidden files) on the cPanel account. Clamav rarely detects things for me, maybe try CXS scanning the single user. I think you can get a trial if you just want to screen this one account.
Check for any crons
You can use “Process Manager” in WHM to automatically kill all of that user’s processes without needing to hunt down each individual one
If it’s a Wordpress site, use Wordfence to find out of place files.
If it’s a Wordpress site, re-extract a clean Wordpress zip to overwrite all core files and restore their integrity (or any other CMS)
Like Max said, if you have Cloudlinux and are using snapshots you can sometimes find malware running through the cpu tab in cPanel: https://i.imgur.com/4PH3QdT.png
Hi all. Thanks for your answers. This is a VPS running cPanel without Cloudlinux. What could be done manually has already been done. There are multiple Drupal and WordPress sites in the account.
Somewhere there should be a hidden script. Seconds after the account is activated the whole server becomes almost unusable.
And to be lucky it happens when there is not electricity nor internet connection at home… on Sunday.
I will try your suggestions, maybe a free trial of Inmunify or csx
I you wish and are comfortable with (this not being any customer’s account), you can send me files and I’ll run a scan with CXS or immunify per your wish.
Do you know how cPanel does this? Do they patch PHP to add extra logging? I’d like to get something similar (logging of PHP scripts that use a huge amount of CPU time) on my non-cPanel server.
PHP doesn’t spin up one process per request though - that’s prohibitively expensive if you receive a large number of concurrent requests. Most people use PHP-FPM now, which uses a pool of workers to handle requests. Not sure if cPanel uses PHP-FPM, or if it’s still using the PHP Apache module.
I wonder if it’s scraping info about which scripts are being executed by the PHP workers, and correlating the PIDs.
Its often running from tmp location but als often deleted after process is started. You can try searching the account for perl script though and run scan via clamav.
Also once its compromised, deleting files won’t do anything. You need to thoroughly clean or even rebuild the account.