I recently was called for help by a WordPress based site owner, suspecting that her site was hacked and cpu utilization of her Ec2 instance was pegged at 100%. She rebooted to remedy the situation, hence I initially could not find anything wrong, no suspicious processes running and network socket connections seemed fine.

The next day she contacted me again, this time right away while her site was bogged down. Despite extremely high cpu utilization, I was able to ssh into the instance after all. And there they were, a bunch of processes appearing to run as “/usr/bin/fakeproc”.

A quick search for a script file did not reveal anything, but socket connections piled up, indicating that the system was compromised as a host of some sort. Killing the processed did not work either. Read more »