You might notice a heavy CPU usage consumption on your machine. Some may be a natural cause, for example, a known script being executed at a specific time whilst others may be due to a simple attack. Even if the attack is not a successful one, you may encounter a high CPU usage of your server which may eventually cause several kernels hangs or even cause other applications to be deprived of CPU usage. What I mean is that the goal of the attacker though it has not been reached, you may encounter a worse situation on your server.
Let’s see a brief analysis of an attack caused by a WordPress plugin known as “Hello Dolly”. The event started with a high CPU consumption on a server. Of course, by viewing the Htop or Atop processes, you can determine processes consuming more CPU.
1. Here is an idea of the Processes consuming more CPU by firing a simple ps command. The processes 829 and 4416 were the one consuming more CPU.
[root@server:/www/website.com/htdocs/wp-content]# ps aux|grep php
apache 829 6.2 0.5 351212 97492 ? S Oct05 127:36 php -q /tmp/tmp
apache 3459 0.3 0.3 416340 60080 ? S Oct06 1:43 php-fpm: pool www
apache 4416 7.2 0.5 336860 82656 ? D Oct05 146:43 php -q /tmp/tmp
apache 4753 0.2 0.3 420176 64048 ? S Oct06 1:20 php-fpm: pool www
root 7539 0.0 0.0 103248 868 pts/3 S+ 06:55 0:00 grep php
2. We can notice that the process php -q /tmp/tmp emanate from a plugin on the server. For example, the PID 4416 corroborate with the lsof command.
[root@server:/www/website.com/htdocs/wp-content]# lsof plugins/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
php 829 apache cwd DIR 0,20 4096 168820763 plugins
php 4416 apache cwd DIR 0,20 4096 168820763 plugins
bash 22664 root cwd DIR 0,20 4096 168820763 plugins
php 29199 apache cwd DIR 0,20 4096 168820763 plugins
php 29304 apache cwd DIR 0,20 4096 168820763 plugins
php 30153 apache cwd DIR 0,20 4096 168820763 plugins
3. If we make a strace -p of 2919 we can notice that it is trying to open the /etc/hosts file.
[root@server:/www/website.com/htdocs/wp-content/plugins]# strace -p 29199
Process 29199 attached - interrupt to quit
socket(PF_NETLINK, SOCK_RAW, 0) = -1 EMFILE (Too many open files)
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 EMFILE (Too many open files)
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)
alarm(0) = 15
rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f66381729a0}, NULL, 8) = 0
poll([{fd=3447, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
4. Another interesting information to know which website or URL does the intrusion emanating from is by firing a lsof -p on the PID:
[root@server:/www/website.com/logs]# lsof -p 29304
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
php 29304 apache cwd DIR 0,20 4096 168820763 /www/website.com/htdocs/wp-content/plugins
php 29304 apache rtd DIR 253,0 4096 2 /
php 29304 apache txt REG 253,2 4105624 16544 /usr/bin/php
5. If we now try to analyze the log by sorting only the bot, we can find some “POST” being carried out which comes from IP 92.62.129.97 . At first glimpse, it looks like a google bot. Are we sure?
92.62.129.97 - - [05/Oct/2015:20:45:49 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com
/bot.html)"
92.62.129.97 - - [05/Oct/2015:21:20:43 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com
/bot.html)"
6. Who is 92.62.129.97 ?
92.62.129.97
GeoIP Country Edition: LT, Lithuania
GeoIP City Edition, Rev 1: LT, N/A, N/A, N/A, N/A, 56.000000, 24.000000, 0, 0
GeoIP ASNum Edition: AS42549 UAB Baltnetos komunikacijos
7. Did we notice that this IP is well reputed for attacks?
Check out this website https://cleantalk.org/blacklists/92.62.129.97. You would notice that there were attacks even on some Windows server reported by some people.
8. After more research, we can conclude that several WordPress users have encountered the same situation where the Hello Dolly plugin was causing a heavy load on their servers. After they have removed it, things have changed. Ref:
- https://wordpress.org/support/topic/plugin-hello–dolly-this-is-a-hacke-plugin-it-messess-up-all-your-sites
- https://wordpress.org/support/topic/helophp-security-vulnerability
We can deduce how unknown plugins on WordPress can be dangerous if the codes are not properly audited by security experts. An analysis is very important before using such kind of plugins.
Note: This information might be incomplete in some sort as it may happen that the Hello Dolly was already compromised prior to the attack. The aim of the article is to get show an analysis methodology due to a high CPU consumption.
