Hello guys.
I have a droplet with NGNIX and Cloudpanel where I host a WordPress website. i noticed that it uses too much CPU and when I checked with htop from the command line, I found there are some scripts that cause high CPU usage.
I used the kill command and it worked but today it appeared again.
Can you help me to find what causes it or what that script is?
This is a screenshot of htop - https://ibb.co/bFdXj7y
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi there,
Indeed, the
/popz
script is not a standard Linux or Nginx script, which suggests that it could be either a custom script or something that has been added maliciously. To investigate:ls -l /popz
cat /popz
It’s possible that this script is being executed regularly via a cron job or another scheduling tool. Check the cron jobs for the user or system:
crontab -l
sudo ls /var/spool/cron/crontabs/
sudo cat /etc/crontab
andsudo ls /etc/cron.d/
Since the script reappears after you kill it, this could be indicative of a compromise or persistent script that is being reloaded by a backdoor or malicious process. What you might have to do is review your code and make sure that this is not the case, or try to restore from a working backup before this started occuring.
Another thing that you should do is to check your system logs in
/var/log/
for any unusual activity or messages related to this script. Start withsyslog
andauth.log
to see if there are any clues:sudo grep -i popz /var/log/syslog
sudo grep -i popz /var/log/auth.log
Basically you should review the script and if it is legitimate, try to understand its purpose and whether it’s required. If it’s causing excessive CPU load, consider optimizing it or reducing its frequency. But i the script is malicious, you should remove it immediately, and consider re-securing your server, possibly by rebuilding it if the compromise is severe or restoring it from a working backup.
Let me know how it goes!
- Bobby
Heya @guramchankseliani,
That’s a really strange script! Try to locate it and then read it to see what it does! I’ve not seen such a script before.
It’s possible it’s somesort of malware, just so you know or it can be a script that some of the software you have is using.