0

Here are a few unknown commands eating up all the CPU resources on Amazon ec2. This is since 10 hours.

Command names are unrecognizable and read as phpxxxxx_xxxx.

Can any one guess what is going on here? How to stop it?

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+/COMMAND
 8324 www-data  20   0  264752   7272   2096 S 132.9  0.1 679:22.71 phpyftZby_4rgbs
 7648 www-data  20   0  264752   7060   1880 S 131.6  0.1 690:58.78 php2gdaOj_fskko
 7660 www-data  20   0  264752   7292   2120 S 127.2  0.1 690:40.65 phpwRGE90_y7hbe
Shoaib Nawaz
  • 101
  • 2
  • 2
    Looks like it was started by your web server. I wonder if your server has been compromised. You can [kill any process](https://www.linux.com/learn/intro-to-linux/2017/5/how-kill-process-command-line). eg: kill -9 8324 – Tim Sep 21 '17 at 05:18
  • Check you webservers access logs for strange entries at the time the processes started. Something along the lines of `(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr[...]` or something. Maybe you got exploited. – Lenniey Sep 21 '17 at 06:54

0 Answers0