0

I experienced extraordinary CPU load on my hosting plan (a shared hosting plan with several websites hosted) and I found that many of the process came from one e-commerce website. I turned the website off and CPU load went down (was again in the normal zone).

I tried to figure out what was triggered this searching through the log files of the problematic website. I found the log files were created every 2-3 minutes, and all files contained similar code lines like the next block (I changed db user name, and the real folder names for the security reasons):

[20-Mar-2020 06:36:30 America/Chicago] PHP Warning:  mysqli_connect(): (28000/1045): Access denied for user 'dbuser'@'localhost' (using password: YES) in /home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php on line 64
[20-Mar-2020 06:36:30 America/Chicago] Request URI: /, IP address: 31.13.103.24
#1  mysqli_connect() called at [/home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php:64]
#2  queryFactory->connect() called at [/home4/myroot/public_html/website_folder/includes/init_includes/init_database.php:23]
#3  require(/home4/myroot/public_html/website_folder/includes/init_includes/init_database.php) called at [/home4/myroot/public_html/website_folder/includes/autoload_func.php:48]
#4  require(/home4/myroot/public_html/website_folder/includes/autoload_func.php) called at [/home4/myroot/public_html/website_folder/includes/application_top.php:170]
#5  require(/home4/myroot/public_html/website_folder/includes/application_top.php) called at [/home4/myroot/public_html/website_folder/index.php:26]

and similar blocks of code that started with this line:

[24-Mar-2020 08:57:10 America/Chicago] PHP Warning:  mysqli_connect(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO) in /home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php on line 64

One log file contained dozens of these code blocks - one below the other. Does this look like external attempt in order to compromise the website (i.e. sql injection attempts)?

I see numerous log files with these lines correlated to high CPU load. Does anyone have explanation?

Thank you!

Laki
  • 99
  • 1
  • 3
  • 15
  • It looks like you've not set up your DB connection properly. Check your code; `query_factory.php on line 64` – Martin Mar 24 '20 at 15:17
  • PHP include files really shouldn't be in the `public_html` folder, that's bad security practise. Where did you find this PHP system from? – Martin Mar 24 '20 at 15:18
  • @Martin This is Zen cart cms system installed on my shared hosting (Host Gator). 1. Regarding db connection - after I put my website offline, I removed db connection parameters in a config file (just for the case if the database was compromised). – Laki Mar 24 '20 at 16:21
  • @Martin You mentioned PHP files in the public_html folder. How to fix it? When i installed this cms website everything was done straight forward without custom tweaks to code. – Laki Mar 24 '20 at 16:24
  • There is no simple way to fix it, it's a structural issue with many PHP systems that they stick everything in the public_html folder without considering any security flaws in that. It's probably not critical, but its' not best practise. – Martin Mar 24 '20 at 16:26
  • Thank you for explaining about PHP. I'm curious to know if there is something in the log files that can explain huge CPU load related with my hosting. – Laki Mar 24 '20 at 16:31

0 Answers0