High CPU Usage Issue

Heya @guramchankseliani,

That’s a really strange script! Try to locate it and then read it to see what it does! I’ve not seen such a script before.

It’s possible it’s somesort of malware, just so you know or it can be a script that some of the software you have is using.

Hi there,

Indeed, the /popz script is not a standard Linux or Nginx script, which suggests that it could be either a custom script or something that has been added maliciously. To investigate:

• Check the location of the script: ls -l /popz
• View the contents of the script to understand what it does: cat /popz

It’s possible that this script is being executed regularly via a cron job or another scheduling tool. Check the cron jobs for the user or system:

• List cron jobs for the current user: crontab -l
• List cron jobs for all users: sudo ls /var/spool/cron/crontabs/
• Check system-wide cron jobs: sudo cat /etc/crontab and sudo ls /etc/cron.d/

Since the script reappears after you kill it, this could be indicative of a compromise or persistent script that is being reloaded by a backdoor or malicious process. What you might have to do is review your code and make sure that this is not the case, or try to restore from a working backup before this started occuring.

Another thing that you should do is to check your system logs in /var/log/ for any unusual activity or messages related to this script. Start with syslog and auth.log to see if there are any clues:

• sudo grep -i popz /var/log/syslog
  • sudo grep -i popz /var/log/auth.log

Basically you should review the script and if it is legitimate, try to understand its purpose and whether it’s required. If it’s causing excessive CPU load, consider optimizing it or reducing its frequency. But i the script is malicious, you should remove it immediately, and consider re-securing your server, possibly by rebuilding it if the compromise is severe or restoring it from a working backup.

Let me know how it goes!

- Bobby