The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Grep Commands running with CPU use of 90% - High server load

Discussion in 'Security' started by jacksoft, Feb 11, 2015.

  1. jacksoft

    jacksoft Registered

    Joined:
    Feb 11, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    Can please somebody provide me any solution

    From yesterday, i have grep command running from main 3 users and using creating high load of 200
    Code:
    grep -r -i -l --include*.php str_rot13(pack("H\*", "667265707267"))\|str_rot13(pack("H\*", "xxxxxxxxxxxxxxxx - CC_FILTER"))\|include(getcwd().\|pathOnMyHost\|default_action .*FilesMan.*\|(isset(.*_REQUEST\[.*FILE.*\])){.*_FILE.*_REQUEST\[.*\](.*_FILE(stripslashes(.*_REQUEST\[.*HOST.*\])) .
    
    I need to know what this command is doing
    how can i stop this command

    i tried

    kilall -KILL grep

    it comes back after few times
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That command looks like it's searching for common strings found in malware files. Perhaps someone is doing a DIY virus scan.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Does anyone else have root access to your server? If so, you could try using the "w" command to verify if they are actively running the grep command.

    Thank you.
     
  4. jacksoft

    jacksoft Registered

    Joined:
    Feb 11, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    When i type w, it shows only my IP

    Also todday one one of user where we host 10 domains, we found many php files in many directories with malciuous code, i can attach code, the files search header.php and main.tpl in all sites and insert iframe code

    Other files are of other malicious nature

    I am most worried about grep command
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It seems like your system may have been hacked. It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites, or to verify if that actually happened. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

    Log Files To Check After Account Hacked

    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The grep command itself can only look for files with that code; most likely a person or plugin was investigating their hacked site and using that command to locate malicious files. It is normal for grep commands to use a lot of CPU especially if the regex is poor or if a ton of files are being "grepped."

    Knowing what UID / user was running the command would help a lot more, perhaps run "ps faux" and see what UID is running it or if there's a parent process it's forked off of.
     
    #6 quizknows, Feb 13, 2015
    Last edited: Feb 13, 2015
Loading...
Similar Threads - Grep Commands running
  1. M373H
    Replies:
    1
    Views:
    299

Share This Page