Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Grep Commands running with CPU use of 90% - High server load

Discussion in 'Security' started by jacksoft, Feb 11, 2015.

  1. jacksoft

    jacksoft Registered

    Joined:
    Feb 11, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    Can please somebody provide me any solution

    From yesterday, i have grep command running from main 3 users and using creating high load of 200
    Code:
    grep -r -i -l --include*.php str_rot13(pack("H\*", "667265707267"))\|str_rot13(pack("H\*", "xxxxxxxxxxxxxxxx - CC_FILTER"))\|include(getcwd().\|pathOnMyHost\|default_action .*FilesMan.*\|(isset(.*_REQUEST\[.*FILE.*\])){.*_FILE.*_REQUEST\[.*\](.*_FILE(stripslashes(.*_REQUEST\[.*HOST.*\])) .
    
    I need to know what this command is doing
    how can i stop this command

    i tried

    kilall -KILL grep

    it comes back after few times
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    89
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    That command looks like it's searching for common strings found in malware files. Perhaps someone is doing a DIY virus scan.
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. jacksoft

    jacksoft Registered

    Joined:
    Feb 11, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    When i type w, it shows only my IP

    Also todday one one of user where we host 10 domains, we found many php files in many directories with malciuous code, i can attach code, the files search header.php and main.tpl in all sites and insert iframe code

    Other files are of other malicious nature

    I am most worried about grep command
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    It seems like your system may have been hacked. It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites, or to verify if that actually happened. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

    Log Files To Check After Account Hacked

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    89
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    The grep command itself can only look for files with that code; most likely a person or plugin was investigating their hacked site and using that command to locate malicious files. It is normal for grep commands to use a lot of CPU especially if the regex is poor or if a ton of files are being "grepped."

    Knowing what UID / user was running the command would help a lot more, perhaps run "ps faux" and see what UID is running it or if there's a parent process it's forked off of.
     
    #6 quizknows, Feb 13, 2015
    Last edited: Feb 13, 2015
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice