/wp-admin/WP-UPDATE – a virus?

Replies: 1

I have Ubuntu 16.04 and DA updated to last version. We also have Installatron.

We see a strange file, that keeps servers CPU loaded to 176 percents for over 2 weeks now:

I go to to DA Admin -> Process Monitor I see this:

30217    <THE_USER>    20    0    2938476    2.289g    3832    S    176.5    23.4    1173:14    /home/<THE_USER>/domains/test.<THE_DOMAIN>.com/private_html/wp-admin/wp-update -B -l /dev/null

That file is ~2 MiB, and created on 6:30AM on June 15th. Nobody works for us so early.

And if I open that file, it is a binary file, does not look like WordPress update.

Also if I go to http://checkfiletype.com/upload-and-check , and upload that file, I get:

File Type: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x8d292bfaf2b7358c244b6a11ae8bc9b42bb11607, stripped

MIME Type: application/x-executable
Suggested file extension(s): so

File Meta Data
File Size	2.6 MB
File Type	ELF executable
File Type Extension	
MIME Type	application/octet-stream
CPU Architecture	64 bit
CPU Byte Order	Little endian
Object File Type	Executable file
CPU Type	AMD x86-64

So is that a virus?

• This topic was modified 14 minutes ago by KestutisIT.
• This topic was modified 13 minutes ago by KestutisIT.
• This topic was modified 1 minute ago by KestutisIT.