Oualid

Well-Known Member
Nov 17, 2017
45
1
8
Algeria
cPanel Access Level
Root Administrator
if i check TOP i have :
Code:
PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND  
28973 walisit+  20   0  814704  19888   4344 S 350.2  0.1   2387:25 QRYF
In WHM top process i have this :
Code:
/home/walisit231/public_html/wp-admin/images/QRYF -a cryptonight -o stratum+tcp://mine.sumo.example.com:5555 -u Sumoo1rDNRshoJnVgCSAvw1mk89bi3czydD9n2tg7eaKQ83biSUAcU4ZaLHSyKeYQuCcSKrVXgykaTNmZAQdwmYzc4e7qV5MGGc.d31bcbe8b363017b61db3f993be19b092b799f0d1478bd57e222b025641ab931+worker42
I have remove QRYF file in "/home/walisit231/public_html/wp-admin/images/" but the problem is the same !
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
The words cryptonight and a URI with the word mine in it,together with the high CPU load and the unusual call to TCP port 5555 would make me very suspicious that this WordPress site has either installed one of the many cryptocurrency mining Plugins, **OR** has been compromised and was now running (not so) hidden cryptocurrency mining scripts.

You will probably get more help from the WordPress forums, and from the following links

Cryptocurrency Miners Exploiting WordPress Sites
Network Attacks Containing Cryptocurrency CPU Mining Tools Grow Sixfold
 
Last edited:

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
As @rpvw pointed out, it appears your account may be compromised and is being used to mine cryptocurrencies.

@Dryandra, when investigating compromises, we should not jump to deleting files first. Forensics should be performed first to help determine the point of compromise, then the malicious code should be removed/disabled.