cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

I think i got hacked, maxed process, cpu and memory maxed

Hi,

 

Please help, I think I got hacked.

 

My number of process, CPU usage and Physical memory are all close to 100% usage.

Annotation 2019-09-23 111515.png

 

Looks like a DOS attack. I took a peek at my logs and see a lot of weird access. here are a few:

[08-Jun-2019 22:09:24 UTC] PHP Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[08-Jun-2019 22:09:24 UTC] PHP Warning: require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[08-Jun-2019 22:09:24 UTC] PHP Fatal error: require(): Failed opening required 'ABSPATHwp-includes/load.php' (include_path='.:/opt/alt/php56/usr/share/pear:/opt/alt/php56/usr/share/php') in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[09-Jun-2019 00:08:09 UTC] PHP Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[09-Jun-2019 00:08:09 UTC] PHP Warning: require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[09-Jun-2019 00:08:09 UTC] PHP Fatal error: require(): Failed opening required 'ABSPATHwp-includes/load.php' (include_path='.:/opt/alt/php56/usr/share/pear:/opt/alt/php56/usr/share/php') in /home/ikoymaster/public_html/dfi/wp-settings.php on line 19
[31-Jul-2019 05:18:43 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 05:18:43 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:47:22 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:47:22 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:47:38 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:47:38 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:50:46 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[31-Jul-2019 16:50:46 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[01-Aug-2019 04:53:31 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[01-Aug-2019 04:53:31 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[01-Aug-2019 04:53:34 UTC] PHP Notice: Undefined variable: c in /home/ikoymaster/public_html/dfi/license.php on line 8
[01-Aug-2019 04:53:34 UTC] PHP Notice: Undefined index: filename in /home/ikoymaster/public_html/dfi/license.php on line 15
[01-Aug-2019 04:53:34 UTC] PHP Notice: Use of undefined constant SCRIPT_FILENAME - assumed 'SCRIPT_FILENAME' in /home/ikoymaster/public_html/dfi/license.php on line 23
[01-Aug-2019 04:53:34 UTC] PHP Notice: Undefined variable: time in /home/ikoymaster/public_html/dfi/license.php on line 24
[01-Aug-2019 05:15:58 UTC] PHP Notice: Undefined variable: c in /home/ikoymaster/public_html/dfi/license.php on line 8
[01-Aug-2019 05:15:58 UTC] PHP Notice: Undefined index: filename in /home/ikoymaster/public_html/dfi/license.php on line 15
[01-Aug-2019 05:15:58 UTC] PHP Notice: Use of undefined constant SCRIPT_FILENAME - assumed 'SCRIPT_FILENAME' in /home/ikoymaster/public_html/dfi/license.php on line 23
[01-Aug-2019 05:15:58 UTC] PHP Notice: Undefined variable: time in /home/ikoymaster/public_html/dfi/license.php on line 24
[03-Aug-2019 18:32:34 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; DbClass has a deprecated constructor in /home/ikoymaster/public_html/dfi/wp-tempo.php(21) : runtime-created function on line 1118
[03-Aug-2019 18:47:06 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; DbClass has a deprecated constructor in /home/ikoymaster/public_html/dfi/wp-tempo.php(21) : runtime-created function on line 1118
[04-Aug-2019 19:39:30 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; DbClass has a deprecated constructor in /home/ikoymaster/public_html/dfi/wp-tempo.php(21) : runtime-created function on line 1118
[04-Aug-2019 21:40:10 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; DbClass has a deprecated constructor in /home/ikoymaster/public_html/dfi/wp-tempo.php(21) : runtime-created function on line 1118
[05-Aug-2019 15:13:20 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[05-Aug-2019 15:13:20 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; sc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15
[05-Aug-2019 20:21:20 UTC] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; zc has a deprecated constructor in /home/ikoymaster/public_html/dfi/5d412425134275d4124251342d.php(1) : runtime-created function(1) : eval()'d code on line 15

 

It looks like someone doing trial and error injecting code, since this site was made a few years back and has been running smoothly.

 

I also see weird files with weird filenames(gibberish like qlxdgy.php ). My wp index file had a code injected on top of the original code, my wp-config was empty.

 

This is a shared server so I cant restart the server to get a fresh process.

 

Please help.

 

5 REPLIES 5
Super User III
Super User III

Re: I think i got hacked, maxed process, cpu and memory maxed

@ikoymaster 

 

  • Are you on the latest version of WP?
  • Are you on the latest version of PHP?
  • Do you have a backup?

If you answer any of those no, then you're most likely hacked based on what you posted. You'll want to make sure you do updates to everything, change passwords, and remove the malware if you don't have a backup.



I am a GoDaddy End User - Just Like You
* Please note that I offer free advice on this forum. I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community


Re: I think i got hacked, maxed process, cpu and memory maxed

@MrVapor 

  • Are you on the latest version of WP? No (since this happened)
  • Are you on the latest version of PHP? I changed to 7.x around june or july, but security might have already been compromised.
  • Do you have a backup? content - yes, DB - yes, entire project(WP) no.

I can upgrade to latest WP version, I'm already on latest PHP, I still have the content and DB. but problem is I'm still experiencing DOS. all resource at <100% si I get service unavailable when I try to load my site.

 

Any ideas?

 

Thanks for the reply BTW.

Super User III
Super User III
Solution

Re: I think i got hacked, maxed process, cpu and memory maxed

@ikoymaster 

 

I would suggest getting behind a Web Application Firewall. GoDaddy offers that with their Website Security Deluxe package or you can try something like Cloudflare. (I've had mixed results with Cloudflare, TBH, but some people swear by them.)

 

You'll probably also want to restore and restart or get a malware removal done. Also, if you use the cPanel, it's possible they got in via a weak password, which happens way more than you'd like to believe. So, change that if applicable. 



I am a GoDaddy End User - Just Like You
* Please note that I offer free advice on this forum. I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community


Highlighted

Re: I think i got hacked, maxed process, cpu and memory maxed

Hey! Thanks a lot man, I will try your suggestion and hope the problem goes away.

 

I'll keep this thread "unsolved" for a while and see what works, then update what I did to help others.

 

Cheers!

Moderator
Moderator
Solution

Re: I think i got hacked, maxed process, cpu and memory maxed

Hi @ikoymaster,

 

GoDaddy has a great article to get you started with fighting malware on your website. The advice previously offered here is excellent in helping you to secure your site against intrusions. There are actions you can take as well as products GoDaddy offers to help restore your website. 

 

 

TLH - GoDaddy | Community Moderator
Supporting you at x.co/247support