1

My server monitoring chart is showing a persistently high CPU usage.

It an ubuntu 64 bit server with LAMP setup.

Running htop reveals the following

enter image description here

The command muhsti is showing >99% CPU usage and is apparently run by www-data user.

The problem is that i have no idea what this command is, so i'm kind of reluctant to just terminate it without knowing its relevance.

A cursory google search hasn't provided any relevant info.

Anyone familiar with what this is?

Ayo Makanjuola
  • 111
  • 2
  • It's not a real command, to my knowledge. This looks like [cryptominer malware](https://www.google.com/amp/s/xorl.wordpress.com/2017/12/21/the-tiny-xml-mooner-linux-cryptominer-malware/amp/). Your system has almost certainly been compromised. See [How do I deal with a compromised server?](https://serverfault.com/q/218005/153161) – Michael - sqlbot Jan 05 '18 at 01:24
  • You were indeed right! The attack vector was a wordpress plugin muhstikx86. I was just practicing using wordpress. I have since deleted it, killed the processes and wiped the cronjobs it created to perpetuate itself. CPU usage is not under 10%. Thanks for the heads up. Cheers. – Ayo Makanjuola Jan 05 '18 at 04:50
  • *"deleted it ... wiped the cron jobs..."* Next, destroy the server. At the admitted risk of souding overly dramatic, think of a compromised machine as a house that may or may not have had one or more fixtures or pieces of furniture coated with a colorless, odorless, tasteless toxin that kills the victim swiftly but only after a potentially lengthy but highly random period of undetectable exposure. Maybe you cleaned it all, maybe you didn't. It is nearly impossible to be certain. – Michael - sqlbot Jan 05 '18 at 13:08

0 Answers0