Photo by Faded_Gallery / Unsplash

Wordpress ELF daemon attacks

Tech Issues Dec 20, 2024

All of a sudden one of my wordpress site went down and a got a down status alert from betterstack. My first suspicion goes as some attack happened.

By drilling down the logs and status of the services I figured out that almost 10+ processes untilising high CPU and those are from wordpress file locations with daemon as the user and these process are running as daemons .

Eventhough i have a crontab to restart all services once in a day , irrespective of that the apache php-fpm mariadb services were down.

Realised that the high utlising process are ELF executable files and it needs to removed and the process to be killed.

Now this is started repeating and i am cleaning it up now , but how about for future ? Working on finding a permanent solution...

Found ELF file:

rate_accept03
xml_domit_xpath
sp_config
AttrTypes
lib_ajax_admin
viva_zoom
config_clicks
forgot_mail
phocagallerycos
livehelp_step1
project.inc
database.mysqli
com_wrapper
mygroupperm
core.rm_auto

daemon     17812  0.0  0.0   2576     0 ?        S    Dec10   0:00 sh -c /opt/bitnami/wordpress/wp-includes/art/bandarqq/sp_config > /dev/null 2>&1
daemon     17813  3.2  0.0  22048     4 ?        R    Dec10 434:50 /opt/bitnami/wordpress/wp-includes/art/bandarqq/sp_config
daemon     19632  0.0  0.0   2576     0 ?        S    Dec10   0:00 sh -c /opt/bitnami/wordpress/wp-includes/l10n/viva_zoom > /dev/null 2>&1
daemon     19633  3.0  0.0  22704     4 ?        R    Dec10 416:21 /opt/bitnami/wordpress/wp-includes/l10n/viva_zoom
daemon     92992  0.0  0.0   2576     0 ?        S    Dec10   0:00 sh -c /opt/bitnami/wordpress/wp-includes/php-compat/database.mysqli > /dev/null 2>&1
daemon     92993  3.1  0.0  23360     4 ?        R    Dec10 427:14 /opt/bitnami/wordpress/wp-includes/php-compat/database.mysqli
daemon    111178  0.0  0.0   2576     0 ?        S    Dec10   0:00 sh -c /opt/bitnami/wordpress/wp-includes/images/crystal/core.rm_auto > /dev/null 2>&1
daemon    111179  3.3  0.0  21392     4 ?        R    Dec10 441:18 /opt/bitnami/wordpress/wp-includes/images/crystal/core.rm_auto
daemon    549029  0.0  0.0   2576     0 ?        S    Dec11   0:00 sh -c /opt/bitnami/wordpress/wp-includes/js/swfupload/AttrTypes > /dev/null 2>&1
daemon    549030  2.9  0.0  20408     4 ?        R    Dec11 380:10 /opt/bitnami/wordpress/wp-includes/js/swfupload/AttrTypes
daemon   2177938  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos > /dev/null 2>&1
daemon   2177939 10.4  0.0    564     4 ?        R    Dec18 306:48 /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos
daemon   2224076  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon   2224077 10.6  0.0  18932     4 ?        R    Dec18 310:11 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon   2346064  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon   2346065 17.3  0.0   2696     4 ?        R    Dec18 493:15 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon   2427842  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos > /dev/null 2>&1
daemon   2427843 15.5  0.0    400     4 ?        R    Dec18 434:56 /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos
daemon   2431072  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon   2431074 15.6  0.0   5484     4 ?        R    Dec18 435:14 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon   2439593  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon   2439594 15.6  0.0   7124     4 ?        R    Dec18 435:22 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon   2481396  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon   2481397 15.7  0.0   2860     4 ?        R    Dec18 435:03 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon   2548247  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/table/forgot_mail > /dev/null 2>&1
daemon   2548248 11.2  0.0   3844     4 ?        R    Dec18 307:55 /opt/bitnami/wordpress/wp-includes/blocks/table/forgot_mail
daemon   2633592  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon   2633593 14.5  0.0   2204     4 ?        R    Dec18 388:36 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon   2633907  0.0  0.0   2576     0 ?        S    Dec18   0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon   2633908 14.5  0.0   2696     4 ?        R    Dec18 388:39 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks

Tags