Help Needed: Investigating Suspicious Process on My VPS - Suspected Malicious Activity

Hi everyone,

I need some help with an issue I’m experiencing on my VPS running Ghost CMS. I’m concerned that my server may have been compromised, and I could use your expertise in identifying and resolving the problem.

strong text

The Situation:

I noticed an unusual process running on my VPS under the user ghost. Here’s the process:

bash

Copier le code

ghost       1851  1.0 24.7 22379952 259180 ?     Sl   17:34   0:41 /home/ghostuser/.nvm/versions/node/v20.11.1/bin/nodmysql
  • Command Path: /home/ghostuser/.nvm/versions/node/v20.11.1/bin/nodmysql
  • Memory Usage: It was consuming around 24.7% of memory, which is a significant amount.
  • User: This process was running under the ghost user, which is used by Ghost CMS.

Steps Taken:

  1. Investigated the process: The command path looked unusual. I couldn’t find any references to nodmysql in my server setup or documentation. This raised my suspicion.
  2. Killed the process: I ran the following command to terminate the process:

bash

Copier le code

sudo kill 1851

Now, I’m worried that this might have been a legitimate process (possibly related to my Node.js setup for Ghost), and I need help determining whether it was malicious or just misconfigured.

What I’m Looking For:

  • Identification of the process: Does anyone recognize nodmysql? Could it be part of a legitimate Node.js app, or is this something that might have been installed maliciously?
  • How to safely restart the process: I know I killed the process, but I’m not sure how to safely restart it (if it was legitimate) without potentially causing further issues.
  • Security check recommendations: What steps should I take to check for any other signs of compromise or unauthorized access? Are there tools or logs I should look at?
  • System Hardening: Given this experience, I’d love advice on securing my VPS moving forward to prevent future issues.

Current Setup:

  • My server is running Ubuntu 20.04.
  • Ghost CMS is installed and running under the user ghostuser.
  • The suspicious process was related to Node.js (version v20.11.1 installed using NVM).

I’d greatly appreciate any guidance on how to proceed. Thanks in advance for your help!


ghostuser@linux:/root$ ps aux --sort=-%mem | grep node
ghost 10010 1.9 17.5 11827620 183652 ? Sl 18:46 0:15 /home/ghostuser/.nvm/versions/node/v20.11.1/bin/node current/index.js
ghostus+ 12900 0.0 0.1 3308 1480 pts/0 S+ 19:00 0:00 grep node
Looking forward to hearing from the community. :pray: