How to Find a Website That Contains Malware

Diagnostic: Abnormal CPU Usage

Sustained high CPU usage is often the first indicator of a compromised site. This usually occurs because the malware is:

  • Attempting to connect to an external Command and Control (C2) server.
  • Actively mining cryptocurrency using your server's hardware.
  • Executing outbound DDoS attacks.

Investigation Steps:

  1. Compare CPU spikes against genuine traffic logs; if they don't correlate, the activity is likely malicious.
  2. Use strace on the active process IDs to determine if the activity is standard PHP execution or something else.
  3. Scan the site's home directory for unrecognized files or scripts.
Preventative Mitigation

Restrict nproc and Virtual CPUs within the website's package settings. This ensures that even if a site is compromised, it cannot monopolize the entire server's performance.

Identifying Long-Running Binaries

In an LxRoot application container, you should typically only see processes related to the website (e.g., php-fpm, lsphp, or bash for active SSH sessions). Any binary running under a cryptic or randomized name is a red flag.

If you identify a suspicious process, you can terminate it immediately using the PID: 

kill -9 [process ID]

Third-Party Security Integrations

For automated detection and real-time protection, LxRoot supports several industry-standard security suites:

Bitninja

Full-stack security including WAF and Honeypots.

CPGuard

Specialized malware scanner and cleanup tool.

Monarx

Non-intrusive, automated malware protection for web apps.

Previous

Adding Public SSH For Root Access

Next

Reduce Disk Space Usage