Grep Commands running with CPU use of 90% - High server load

jacksoft

Registered
Feb 11, 2015
2
0
1
cPanel Access Level
Root Administrator
Hi

Can please somebody provide me any solution

From yesterday, i have grep command running from main 3 users and using creating high load of 200
Code:
grep -r -i -l --include*.php str_rot13(pack("H\*", "667265707267"))\|str_rot13(pack("H\*", "xxxxxxxxxxxxxxxx - CC_FILTER"))\|include(getcwd().\|pathOnMyHost\|default_action .*FilesMan.*\|(isset(.*_REQUEST\[.*FILE.*\])){.*_FILE.*_REQUEST\[.*\](.*_FILE(stripslashes(.*_REQUEST\[.*HOST.*\])) .
I need to know what this command is doing
how can i stop this command

i tried

kilall -KILL grep

it comes back after few times
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

Thank you.
 

jacksoft

Registered
Feb 11, 2015
2
0
1
cPanel Access Level
Root Administrator
Hello :)

Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

Thank you.
When i type w, it shows only my IP

Also todday one one of user where we host 10 domains, we found many php files in many directories with malciuous code, i can attach code, the files search header.php and main.tpl in all sites and insert iframe code

Other files are of other malicious nature

I am most worried about grep command
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
It seems like your system may have been hacked. It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites, or to verify if that actually happened. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

Log Files To Check After Account Hacked

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The grep command itself can only look for files with that code; most likely a person or plugin was investigating their hacked site and using that command to locate malicious files. It is normal for grep commands to use a lot of CPU especially if the regex is poor or if a ton of files are being "grepped."

Knowing what UID / user was running the command would help a lot more, perhaps run "ps faux" and see what UID is running it or if there's a parent process it's forked off of.
 
Last edited: