Question

High CPU Usage Issue

Hello guys.

I have a droplet with NGNIX and Cloudpanel where I host a WordPress website. i noticed that it uses too much CPU and when I checked with htop from the command line, I found there are some scripts that cause high CPU usage.

I used the kill command and it worked but today it appeared again.

Can you help me to find what causes it or what that script is?

This is a screenshot of htop - https://ibb.co/bFdXj7y


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
August 25, 2024

Hi there,

Indeed, the /popz script is not a standard Linux or Nginx script, which suggests that it could be either a custom script or something that has been added maliciously. To investigate:

  • Check the location of the script: ls -l /popz
  • View the contents of the script to understand what it does: cat /popz

It’s possible that this script is being executed regularly via a cron job or another scheduling tool. Check the cron jobs for the user or system:

  • List cron jobs for the current user: crontab -l
  • List cron jobs for all users: sudo ls /var/spool/cron/crontabs/
  • Check system-wide cron jobs: sudo cat /etc/crontab and sudo ls /etc/cron.d/

Since the script reappears after you kill it, this could be indicative of a compromise or persistent script that is being reloaded by a backdoor or malicious process. What you might have to do is review your code and make sure that this is not the case, or try to restore from a working backup before this started occuring.

Another thing that you should do is to check your system logs in /var/log/ for any unusual activity or messages related to this script. Start with syslog and auth.log to see if there are any clues:

  • sudo grep -i popz /var/log/syslog
    • sudo grep -i popz /var/log/auth.log

Basically you should review the script and if it is legitimate, try to understand its purpose and whether it’s required. If it’s causing excessive CPU load, consider optimizing it or reducing its frequency. But i the script is malicious, you should remove it immediately, and consider re-securing your server, possibly by rebuilding it if the compromise is severe or restoring it from a working backup.

Let me know how it goes!

- Bobby

KFSys
Site Moderator
Site Moderator badge
August 22, 2024

Heya @guramchankseliani,

That’s a really strange script! Try to locate it and then read it to see what it does! I’ve not seen such a script before.

It’s possible it’s somesort of malware, just so you know or it can be a script that some of the software you have is using.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
Animation showing a Droplet being created in the DigitalOcean Cloud console