0

Over the weekend one of the virtual servers that I host was compromised and since then I've had all sorts of problems popping up.

The latest one is Apache taking 100% cpu usage as soon as it's started and staying like that until it is killed off.

ps aux returns:

http://pastebin.com/kzcPmq4g

strace on the process returns this, spamming very very quickly over and over again.

select(8, [3], NULL, NULL, {0, 0}) = 0 (Timeout)

access_log on the site returns:

http://pastie.org/6112068

It looks like a wordpress cron is being accessed very quickly from a remote IP.

JamieB
  • 101
  • 4

1 Answers1

2

If your system was hacked, don't try to troubleshoot this problem. You gotta do a full reinstall. Unless you are really skilled in this field, you'll never know if your system still has any root kits installed that will continue to cause problems. The only sure way is to nuke your whole system and reinstall.

Mxx
  • 2,312
  • 2
  • 26
  • 40
  • The problem is, if it is only limited to some dodgy PHP scripts (which I it's looking like it is, then when I reformat the machine and copy over the sites again it'll just start back up. – JamieB Feb 10 '13 at 20:57
  • Because you don't know what those dodgy php scripts did. – EEAA Feb 10 '13 at 21:09
  • @JamieB: The process is as follows: 1) Shut down the machine. 2) Fix the scripts. 3) Reinstall. 4) If the machine gets compromised, repeat. – David Schwartz Feb 10 '13 at 21:10
  • Thanks David, the problem is finding the scripts that are compromised, I have no place to start. – JamieB Feb 10 '13 at 21:13
  • @JamieB compare with/restore from your backups/version control system. – Mxx Feb 10 '13 at 21:13