How do I find what file or request which executed particular command? DAMP

Question

So, i just open server monitor on my GCP with debian and see that CPU is 100% utilized for almost 3 hours.

I run top command and see that, some command ran by www-data named phptASyGL_53bhc is eating 100% CPU. I restared the apache2 and it dissapeared.

  PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND                                         
11254 www-data  20   0  184688   9408   4392 S 94.2  0.2 130:11.33 phptASyGL_53bhc  

But how do I find what executed this command and what it affected? Did it do any harm to me?

I watched access.logs and it mostly has internal dummy connections.

other_vhosts_logs also has nothing interesting on the time it started. get / post requests to my websites.

I'm not sure where to dig to prevent this from happening.

Answer 1

I did a little search and found a command:

pwdx

waited for the process to appear again:

PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND                                         
27512 www-data  20   0  184688   9132   4124 S 86.5  0.2 421:48.47 phpbGE2XL_53bhc

typed in:

pwdx 27512

Got server response pointing to website folder:

27512: /var/www/magnus/siteapps/joomla-6611/htdocs/administrator/components/com_tags/models

I think it's better to start updating this site or removing.