Wordpress ELF daemon attacks
All of a sudden one of my wordpress site went down and a got a down status alert from betterstack. My first suspicion goes as some attack happened.
By drilling down the logs and status of the services I figured out that almost 10+ processes untilising high CPU and those are from wordpress file locations with daemon as the user and these process are running as daemons .
Eventhough i have a crontab to restart all services once in a day , irrespective of that the apache php-fpm mariadb services were down.
Realised that the high utlising process are ELF executable files and it needs to removed and the process to be killed.
Now this is started repeating and i am cleaning it up now , but how about for future ? Working on finding a permanent solution...
Found ELF file:
rate_accept03
xml_domit_xpath
sp_config
AttrTypes
lib_ajax_admin
viva_zoom
config_clicks
forgot_mail
phocagallerycos
livehelp_step1
project.inc
database.mysqli
com_wrapper
mygroupperm
core.rm_auto
daemon 17812 0.0 0.0 2576 0 ? S Dec10 0:00 sh -c /opt/bitnami/wordpress/wp-includes/art/bandarqq/sp_config > /dev/null 2>&1
daemon 17813 3.2 0.0 22048 4 ? R Dec10 434:50 /opt/bitnami/wordpress/wp-includes/art/bandarqq/sp_config
daemon 19632 0.0 0.0 2576 0 ? S Dec10 0:00 sh -c /opt/bitnami/wordpress/wp-includes/l10n/viva_zoom > /dev/null 2>&1
daemon 19633 3.0 0.0 22704 4 ? R Dec10 416:21 /opt/bitnami/wordpress/wp-includes/l10n/viva_zoom
daemon 92992 0.0 0.0 2576 0 ? S Dec10 0:00 sh -c /opt/bitnami/wordpress/wp-includes/php-compat/database.mysqli > /dev/null 2>&1
daemon 92993 3.1 0.0 23360 4 ? R Dec10 427:14 /opt/bitnami/wordpress/wp-includes/php-compat/database.mysqli
daemon 111178 0.0 0.0 2576 0 ? S Dec10 0:00 sh -c /opt/bitnami/wordpress/wp-includes/images/crystal/core.rm_auto > /dev/null 2>&1
daemon 111179 3.3 0.0 21392 4 ? R Dec10 441:18 /opt/bitnami/wordpress/wp-includes/images/crystal/core.rm_auto
daemon 549029 0.0 0.0 2576 0 ? S Dec11 0:00 sh -c /opt/bitnami/wordpress/wp-includes/js/swfupload/AttrTypes > /dev/null 2>&1
daemon 549030 2.9 0.0 20408 4 ? R Dec11 380:10 /opt/bitnami/wordpress/wp-includes/js/swfupload/AttrTypes
daemon 2177938 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos > /dev/null 2>&1
daemon 2177939 10.4 0.0 564 4 ? R Dec18 306:48 /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos
daemon 2224076 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon 2224077 10.6 0.0 18932 4 ? R Dec18 310:11 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon 2346064 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon 2346065 17.3 0.0 2696 4 ? R Dec18 493:15 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon 2427842 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos > /dev/null 2>&1
daemon 2427843 15.5 0.0 400 4 ? R Dec18 434:56 /opt/bitnami/wordpress/wp-includes/blocks/column/phocagallerycos
daemon 2431072 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon 2431074 15.6 0.0 5484 4 ? R Dec18 435:14 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon 2439593 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon 2439594 15.6 0.0 7124 4 ? R Dec18 435:22 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon 2481396 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon 2481397 15.7 0.0 2860 4 ? R Dec18 435:03 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks
daemon 2548247 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/table/forgot_mail > /dev/null 2>&1
daemon 2548248 11.2 0.0 3844 4 ? R Dec18 307:55 /opt/bitnami/wordpress/wp-includes/blocks/table/forgot_mail
daemon 2633592 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath > /dev/null 2>&1
daemon 2633593 14.5 0.0 2204 4 ? R Dec18 388:36 /opt/bitnami/wordpress/wp-admin/css/colors/ocean/xml_domit_xpath
daemon 2633907 0.0 0.0 2576 0 ? S Dec18 0:00 sh -c /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks > /dev/null 2>&1
daemon 2633908 14.5 0.0 2696 4 ? R Dec18 388:39 /opt/bitnami/wordpress/wp-includes/blocks/columns/config_clicks