Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CPU 100%

Discussion in 'General Discussion' started by Oualid, Jan 14, 2018.

  1. Oualid

    Oualid Active Member

    Joined:
    Nov 17, 2017
    Messages:
    38
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Algeria
    cPanel Access Level:
    Root Administrator
    if i check TOP i have :
    Code:
     
    PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND  
    28973 walisit+  20   0  814704  19888   4344 S 350.2  0.1   2387:25 QRYF
    
    In WHM top process i have this :
    Code:
    /home/walisit231/public_html/wp-admin/images/QRYF -a cryptonight -o stratum+tcp://mine.sumo.example.com:5555 -u Sumoo1rDNRshoJnVgCSAvw1mk89bi3czydD9n2tg7eaKQ83biSUAcU4ZaLHSyKeYQuCcSKrVXgykaTNmZAQdwmYzc4e7qV5MGGc.d31bcbe8b363017b61db3f993be19b092b799f0d1478bd57e222b025641ab931+worker42
    
    I have remove QRYF file in "/home/walisit231/public_html/wp-admin/images/" but the problem is the same !
     
    #1 Oualid, Jan 14, 2018
    Last edited by a moderator: Jan 14, 2018
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    819
    Likes Received:
    298
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The words cryptonight and a URI with the word mine in it,together with the high CPU load and the unusual call to TCP port 5555 would make me very suspicious that this WordPress site has either installed one of the many cryptocurrency mining Plugins, **OR** has been compromised and was now running (not so) hidden cryptocurrency mining scripts.

    You will probably get more help from the WordPress forums, and from the following links

    Cryptocurrency Miners Exploiting WordPress Sites
    Network Attacks Containing Cryptocurrency CPU Mining Tools Grow Sixfold
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Jan 14, 2018
    Last edited: Jan 14, 2018
    cPWilliamL and Infopro like this.
  3. Dryandra

    Dryandra Registered

    Joined:
    Mar 19, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Check /tmp directory and remove all files owned by user walisit231.
     
  4. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    As @rpvw pointed out, it appears your account may be compromised and is being used to mine cryptocurrencies.

    @Dryandra, when investigating compromises, we should not jump to deleting files first. Forensics should be performed first to help determine the point of compromise, then the malicious code should be removed/disabled.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice