Grep Commands running with CPU use of 90% - High server load

[jacksoft]

Hi

Can please somebody provide me any solution

From yesterday, i have grep command running from main 3 users and using creating high load of 200

grep -r -i -l --include*.php str_rot13(pack("H\*", "667265707267"))\|str_rot13(pack("H\*", "xxxxxxxxxxxxxxxx - CC_FILTER"))\|include(getcwd().\|pathOnMyHost\|default_action .*FilesMan.*\|(isset(.*_REQUEST\[.*FILE.*\])){.*_FILE.*_REQUEST\[.*\](.*_FILE(stripslashes(.*_REQUEST\[.*HOST.*\])) .

I need to know what this command is doing
how can i stop this command

i tried

kilall -KILL grep

it comes back after few times

 

[quizknows]

That command looks like it's searching for common strings found in malware files. Perhaps someone is doing a DIY virus scan.

 

[cPanelMichael]

Hello

Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

Thank you.

 

[jacksoft]

Hello

Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

Thank you.

When i type w, it shows only my IP

Also todday one one of user where we host 10 domains, we found many php files in many directories with malciuous code, i can attach code, the files search header.php and main.tpl in all sites and insert iframe code

Other files are of other malicious nature

I am most worried about grep command

 

[cPanelMichael]

It seems like your system may have been hacked. It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites, or to verify if that actually happened. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

Log Files To Check After Account Hacked

Thank you.

 

[quizknows]

The grep command itself can only look for files with that code; most likely a person or plugin was investigating their hacked site and using that command to locate malicious files. It is normal for grep commands to use a lot of CPU especially if the regex is poor or if a ton of files are being "grepped."

Knowing what UID / user was running the command would help a lot more, perhaps run "ps faux" and see what UID is running it or if there's a parent process it's forked off of.