Knowledgebase

High CPU consumption

Posted by QuickCloudDeploy, 03-22-2015, 09:44 PM
grep -r -i -l --include=*.php str_rot13(pack("H\*", "667265707267"))\|str_rot13(pack("H\*", "6775766676667667"))\|include(getcwd().\|pathOnMyHost\|default_action = .*FilesMan.*\|(isset(.*_REQUEST\[.*FILE.*\])){.*_F 26513 admin 20 0 6884 1252 680 D 9.0 0.0 0:02.73 Does anyone knows what this could be? is consuming a lot of cpu and never seen that before
Posted by david_was_here, 03-23-2015, 08:52 AM
Something that is trying to use a rot13 cipher. Although I am not sure what it is doing. If you didn't put it there I would kill it and 000 it. If it belongs to say, one of your customers accounts, ask them what it does and after they let you know you can decide from there.
Posted by QuickCloudDeploy, 03-24-2015, 12:44 AM
I don't do hosting business anymore. Anyways i have a server and this is consuming too much CPU to the point of crashing it, how can i find what file or process is causing that to happen? i run wordpress with around 3k to 4k peoples at almost every moment i know server runs over 10k smoothly this started 2 days ago, i also monitor the server very often without ever seen that process. I suspect that I've been hacked maybe? Server: Centos 6 with vestacp Last edited by QuickCloudDeploy; 03-24-2015 at 12:54 AM.
Posted by nisamudeen97, 03-24-2015, 07:24 AM
Hi, This grep script can induce high load in the server as its arguments are too much lengthy.
Posted by NetHosted-Darryl, 03-24-2015, 07:36 AM
This looks like it's a security scanner script to search PHP files for exploits. FilesMan is a common PHP shell used by hackers to find out server info, upload files and generally attempt to exploit servers. str_rot13 is a method used to try and obfuscate PHP code too, this may well be something your host has automated to scan the server for exploits if you're not aware of what it is, I'd try contacting your support to ask them about this.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Feedback about ReliableServers Support (Views: 665)
turnkeyresellers.com Really BAD! (Views: 563)
BurstNET - Router Reboot (Views: 698)
Need reseller/resold account with properly configured reverse DNS and PTR records (Views: 606)
awknet? (Views: 751)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.