I recently was called for help by a WordPress based site owner, suspecting that her site was hacked and cpu utilization of her Ec2 instance was pegged at 100%. She rebooted to remedy the situation, hence I initially could not find anything wrong, no suspicious processes running and network socket connections seemed fine.
The next day she contacted me again, this time right away while her site was bogged down. Despite extremely high cpu utilization, I was able to ssh into the instance after all. And there they were, a bunch of processes appearing to run as “/usr/bin/fakeproc”.
A quick search for a script file did not reveal anything, but socket connections piled up, indicating that the system was compromised as a host of some sort. Killing the processed did not work either.First thing I did was disabling port 80, which as a result dropped cpu utilization immediately. And surprisingly, the fakeproc processes were gone as well. Her WordPress updates were up to date, including all plugins and themes, TinyThumb vulnerability seemed out of question. Nonetheless, tinythumb.php revealed that there was an old backup of the theme sitting in the themes directory, containing an un-patched version of the file. Therefore, removing the old theme fixed the issue.
Lesson learned: Keep your WordPress code base up to date, including themes and plugins. And as important, remove old backups and parts of code that is not used anymore. Those code snippets may still be accessible and vulnerable.
If you suspect that your site may be infected, there is a handy plugin that scans your directories to determine infection. Get it here.