Droplet Compromised? www-data processes
Have a new droplet running Ubuntu 20.04 with LAMP stack, and 3 wordpress installs that I created last week, with two of them being used with very low volume, really just testing at this point and setting up the wordpress sites.
Have installed wordpress themes (Hestia) and some plugins (MonsterInsights, RankMath, WPForms, WPMail, OrbitFox) and have been doing initial site development, in many ways re-teaching myself Wordpress.
Woke up this morning to the CPU Pegged, unable to access any of my sites. I went in and got this from top using my console, with the www-data one being suspicious.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
127 root 20 0 0 0 0 R 35.8 0.0 35:59.69 kswapd0
105286 www-data 20 0 300532 264724 0 R 34.4 26.3 48:40.36 gko8llwqjf5jkus
110224 mysql 20 0 1254396 339052 0 R 14.2 33.7 0:03.00 mysqld
733 do-agent 20 0 559692 6356 0 S 8.9 0.6 1:52.68 do-agent
386 root 19 -1 76188 5000 3720 R 2.6 0.5 3:20.57 systemd-journal
I restarted the site, and subsequently made sure SSH key login was enabled and password login disabled.
Have also found a couple cron entries that look suspicious to me. The first wordpress site has not been activated or used at all. Directory was created and populated for future use.
root@MY-DROPLET:/var/tmp# crontab -u www-data -l
- * * * * /var/www/mysite.com/wordpress/wp-content/themes/twentynineteen/pty8 > /dev/null 2>&1 &
- * * * * /dev/shm/pty8 > /dev/null 2>&1 &
- * * * * /var/tmp/pty8 > /dev/null 2>&1 &
- * * * * /var/lock/pty8 > /dev/null 2>&1 &
If I have to start over, it’s not the end of the world. But, I’d rather not. My questions:
How do I confirm whether these cron jobs and this behavior was malicious?
Can I clean it up, or start with a new droplet?
How do I identify how it happened and prevent it in the future?
Thank you, been years since I’ve done this daily, so appreciate the help.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.×