how can I kow which account , domain or file causing cpu load ?

[zmatrix]

hello

I have a vps and I host 6 wordpress sites

in the last 2 days I saw high load in my vps panel and it's not normal
I feel it may be a maleware or a hacker using a file from one of the sites and that makes the high load

I want to know , how to know the file that causing that load and under which account

thanks

[Kloxo-DR]

Hi,

If the malicious file resides on your server, then you can pack the /home/* dir and run AVG antivirus check. It shall find many deadly trojan horses and help to identify files under directories that are infected.

If the malicious file resides on a remote server, then you can block the IP address of that server and all incoming calls on every port through csf.

I have my doubts if kloxo-mr is secure. If this is happening, you may not stay asleep from now on.

[Kloxo-DR]

Anathor option is to have csf configured to watch processes, accounts, dir and files.

Once the server is compromised, then csf shall show no change in the infected file or a trojan sleeping in the system.

In this case, your best option is to re-install the wordpress, copy themes or templates on it and restore database. Only then you could map csf to those dir. With a fresh install you will also eliminate the possibility of some trojan in there.

There are several dangerous trojan horses like PHP/Backdoor or PHP/Agent.4. They create symtoms like you described.

So just be careful and take measures before too late.

However, there may be some process that could be actually causing more resources use. One could be imap and imaps that burns cpu power.

[zmatrix]

I found 2 files that I can't recognize

[Kloxo-DR]

Hi,

I found similar files, two of them, which I could not recognize.

I suggest that you reinstall your server again. Take care that you install all necessary security mechanisms BEFORE transferring the DNS from old server to new server.

Usually they save such files initially before they attack after months. They keep a time lapse so that all log files gets rotated and a stupid admin looses all such valuable information.

I suspect that your server may have been used for spamming. The current Qmailtoaster, and the version before, has some thing in configuration or compilation that is not working correctly with spamdyke. So, a hacker may abuse this and send a mail bomb from your server.

DO NOT COPY OR RESTORE HTML FROM OLD HOME DIRECTORY.

Install everything from fresh on the new server. Just take along with templates and databases. Check for users created in the database and if there are dummy, fake or inactive users.

You may not know what in there within thousand of files and if a hacker installed some golden eggs somewhere inside the system.

[zmatrix]

i DOWNLOADED THE SITE FILES ,and I found 2 Trojan files
I removed them and re-installed the wordpress again
I will keep watching the load in my server to see if it still high or return to the normal values

I have a problems with my server

I can't access the ftp
I can't access the emails from web or pop3

I hope that will be a new update soon cause my server now is shit

so any one can suggest a plugin or so for wordpress that the files in my website ?

[zmatrix]

can you please tell me how to remove the queue mail from the admin panel ?
cause in the processes I see alot of emails that I can't recognize

[Kloxo-DR]

Hi,

Your approach is wrong. I have sufficient experience on this. Mustafa and Chris have so far not given sufficient attention to the issues I have raised.

Your Server is hacked. You just cannot reinstall anything in home dir, for e.g. and reinstall it again, while keeping Centos the same. Some malicious codes are sitting in the system somewhere.

The hacker will infect your system again and again, so long as you have the same centos.

Read my advise here:

http://forum.mratwork.com/kloxo-mr-releases-and-announcements/%28update%29-please-update-qmail-toaster-and-courier-imap-toaster/

The best thing to do is to rename /var/qmail/bin/qmail-remote to something else. Thereafter, your server shall not be able to send any email from the server to a remote server. You can still receive emails, though, and login with an email client.

To delete mailqueue: either flush the queue from the kloxo admin, or use shell commands to flush. The best way to observe is to use webmin qmail admin. Then you have a web interface to see the contents of that email.