You might notice a heavy CPU usage consumption on your machine. Some may be a natural cause, for example, a known script being executed at a specific time whilst others may be due to a simple attack. Even if the attack is not a successful one, you may encounter a high CPU usage of your server which may eventually cause several kernels hangs or even cause other applications to be deprived of CPU usage. What I mean is that the goal of the attacker though it has not been reached, you may encounter a worse situation on your server.
Let’s see a brief analysis of an attack caused by a WordPress plugin known as “Hello Dolly”. The event started with a high CPU consumption on a server. Of course, by viewing the Htop or Atop processes, you can determine processes consuming more CPU.

1. Here is an idea of the Processes consuming more CPU by firing a simple ps command. The processes 829 and 4416 were the one consuming more CPU.
[root@server:/www/website.com/htdocs/wp-content]# ps aux|grep php
apache    829 6.2 0.5 351212 97492 ?       S   Oct05 127:36 php -q /tmp/tmp
apache   3459 0.3 0.3 416340 60080 ?       S   Oct06  1:43 php-fpm: pool www                                                                                           Â
apache   4416 7.2 0.5 336860 82656 ?       D   Oct05 146:43 php -q /tmp/tmp
apache   4753 0.2 0.3 420176 64048 ?       S   Oct06  1:20 php-fpm: pool www                                                                                           Â
root     7539 0.0 0.0 103248  868 pts/3   S+  06:55  0:00 grep php
2. We can notice that the process php -q /tmp/tmp emanate from a plugin on the server. For example, the PID 4416 corroborate with the lsof command.
[root@server:/www/website.com/htdocs/wp-content]# lsof plugins/
COMMANDÂ Â PIDÂ Â USERÂ Â FDÂ Â TYPE DEVICE SIZE/OFFÂ Â Â Â Â NODE NAME
php      829 apache cwd   DIR  0,20    4096 168820763 plugins
php     4416 apache cwd   DIR  0,20    4096 168820763 plugins
bash   22664  root cwd   DIR  0,20    4096 168820763 plugins
php    29199 apache cwd   DIR  0,20    4096 168820763 plugins
php    29304 apache cwd   DIR  0,20    4096 168820763 plugins
php    30153 apache cwd   DIR  0,20    4096 168820763 plugins
3. If we make a strace -p of 2919 we can notice that it is trying to open the /etc/hosts file.Â
[root@server:/www/website.com/htdocs/wp-content/plugins]# strace -p 29199
Process 29199 attached - interrupt to quit
socket(PF_NETLINK, SOCK_RAW, 0)Â Â Â Â Â Â Â Â = -1 EMFILE (Too many open files)
open("/etc/hosts", O_RDONLY|O_CLOEXEC)Â = -1 EMFILE (Too many open files)
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)
alarm(0)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â = 15
rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f66381729a0}, NULL, 8) = 0
poll([{fd=3447, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
4. Another interesting information to know which website or URL does the intrusion emanating from is by firing a lsof -p on the PID:
[root@server:/www/website.com/logs]# lsof -p 29304
COMMANDÂ Â PIDÂ Â USERÂ Â FDÂ Â TYPEÂ Â Â Â DEVICE SIZE/OFFÂ Â Â Â Â Â NODE NAME
php    29304 apache cwd   DIR      0,20    4096 168820763 /www/website.com/htdocs/wp-content/pluginsÂ
php    29304 apache rtd   DIR     253,0    4096         2 /
php    29304 apache txt   REG     253,2 4105624     16544 /usr/bin/php
5. If we now try to analyze the log by sorting only the bot, we can find some “POST” being carried out which comes from IP 92.62.129.97 . At first glimpse, it looks like a google bot. Are we sure?
92.62.129.97 - - [05/Oct/2015:20:45:49 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com
/bot.html)"
92.62.129.97 - - [05/Oct/2015:21:20:43 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com
/bot.html)"
6. Who is 92.62.129.97 ?
92.62.129.97
GeoIP Country Edition: LT, Lithuania
GeoIP City Edition, Rev 1: LT, N/A, N/A, N/A, N/A, 56.000000, 24.000000, 0, 0
GeoIP ASNum Edition: AS42549 UAB Baltnetos komunikacijos
7. Did we notice that this IP is well reputed for attacks?
Check out this website https://cleantalk.org/blacklists/92.62.129.97. You would notice that there were attacks even on some Windows server reported by some people.
8. After more research, we can conclude that several WordPress users have encountered the same situation where the Hello Dolly plugin was causing a heavy load on their servers. After they have removed it, things have changed. Ref:
- https://wordpress.org/support/topic/plugin-hello–dolly-this-is-a-hacke-plugin-it-messess-up-all-your-sites
- https://wordpress.org/support/topic/helophp-security-vulnerability
We can deduce how unknown plugins on WordPress can be dangerous if the codes are not properly audited by security experts. An analysis is very important before using such kind of plugins.
Note: This information might be incomplete in some sort as it may happen that the Hello Dolly was already compromised prior to the attack. The aim of the article is to get show an analysis methodology due to a high CPU consumption.