So, i just open server monitor on my GCP with debian and see that CPU is 100% utilized for almost 3 hours.
I run top command and see that, some command ran by www-data named phptASyGL_53bhc is eating 100% CPU. I restared the apache2 and it dissapeared.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11254 www-data 20 0 184688 9408 4392 S 94.2 0.2 130:11.33 phptASyGL_53bhc
But how do I find what executed this command and what it affected? Did it do any harm to me?
I watched access.logs and it mostly has internal dummy connections.
other_vhosts_logs also has nothing interesting on the time it started. get / post requests to my websites.
I'm not sure where to dig to prevent this from happening.
I did a little search and found a command:
pwdx
waited for the process to appear again:
typed in:
Got server response pointing to website folder:
I think it's better to start updating this site or removing.