The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user...

Discussion in 'Security' started by Israel_Paya, Sep 18, 2015.

  1. Israel_Paya

    Israel_Paya Active Member

    Joined:
    Sep 18, 2015
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Last week a hacker injected malicious code in one of the websites in the server, in the following line:
    /usr/bin/php /home/userxxx/public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php.

    I deleted the plugin RevSlider in WordPress and installed the updated one, but I still receive 2 emails like this:
    Email 1: /usr/bin/php /home/userxxx/public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php
    Email 2: Excessive use of resources: User userxxx (32764 Process (Parent PID: 32473))

    I receive these emails every 30 minutes or so.

    I have checked and there is NO such files or folders in /public_html/wp-content/plugins/revslider/temp/update_extract/revslider/jember.php.

    Why am I receiving these messages? How can I stop this nightmare?

    Thank you so much for your helps.

    Regards.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you reviewed the times associated with the messages to verify if they are older messages that were stored in the mail queue? Have you restarted Apache since the removal?

    Thank you.
     
  3. Israel_Paya

    Israel_Paya Active Member

    Joined:
    Sep 18, 2015
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Hello,

    All the messages have the same (Parent PID:32473) They seem to be the same messages sent in intervals of time.
    In case I have to restart the Apache, how must I do that?
    Thank you so much for your support.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can restart Apache via Web Host Manager if you prefer to not use the command line:

    "WHM Home » Restart Services » HTTP Server (Apache)"

    Also, you may want to access your server via SSH to verify if that process is still running. EX:

    Code:
    ps aux|grep PID
    Thank you.
     
  5. Israel_Paya

    Israel_Paya Active Member

    Joined:
    Sep 18, 2015
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Great! I have already restarted Apache.
    That is very kind of you. Thank you for your help.
    Best regards.
     
Loading...

Share This Page