How to find a website that contains malware
Using high CPU
A site using a lot of CPU can be a common sign of malware. This could be because the site is hanging on connecting to an external command and control server (perhaps since taken down, or otherwise unable to reach it) or it could be because the site is attempting to mine cryptocurrency using the server’s CPU. If you see a site using a lot of CPU, and it is unexpected or doesn’t correlate with an increase in genuine site traffic it would be wise to check the processes that are running with strace to see if they are normal PHP/site processes or if something else is going on. It’s also a good idea to check through the site’s home directory for any unusual files or files that you don’t recognise as being a part of the site code.
It is a also a good idea to to restrict nproc and virtual CPUs which will mean that this type of malware can’t monopolise the performance of an individual server.
Long running binaries
Within a site’s application container normally you would expect to only see processes relating to the website site. Typically, this means PHP processes, but you may also see a bash process if the user is logged in to SSH for example. Binaries/processes running under a strange name in the application container can often be an indication that a site has malware. To kill a process that you think is suspicious or shouldn’t be there, you can run:-
kill -9 [process ID]Third Party Security Plugins
There are a number of third party security integrations available that can help detect and prevent malware on sites hosted on Enhance. These include but are not limited to:-
- Bitninja
- CPguard
- Monarx