Hi everyone,
I need some help with an issue I’m experiencing on my VPS running Ghost CMS. I’m concerned that my server may have been compromised, and I could use your expertise in identifying and resolving the problem.
strong text
The Situation:
I noticed an unusual process running on my VPS under the user ghost
. Here’s the process:
bash
Copier le code
ghost 1851 1.0 24.7 22379952 259180 ? Sl 17:34 0:41 /home/ghostuser/.nvm/versions/node/v20.11.1/bin/nodmysql
- Command Path:
/home/ghostuser/.nvm/versions/node/v20.11.1/bin/nodmysql
- Memory Usage: It was consuming around 24.7% of memory, which is a significant amount.
- User: This process was running under the
ghost
user, which is used by Ghost CMS.
Steps Taken:
- Investigated the process: The command path looked unusual. I couldn’t find any references to
nodmysql
in my server setup or documentation. This raised my suspicion. - Killed the process: I ran the following command to terminate the process:
bash
Copier le code
sudo kill 1851
Now, I’m worried that this might have been a legitimate process (possibly related to my Node.js setup for Ghost), and I need help determining whether it was malicious or just misconfigured.
What I’m Looking For:
- Identification of the process: Does anyone recognize
nodmysql
? Could it be part of a legitimate Node.js app, or is this something that might have been installed maliciously? - How to safely restart the process: I know I killed the process, but I’m not sure how to safely restart it (if it was legitimate) without potentially causing further issues.
- Security check recommendations: What steps should I take to check for any other signs of compromise or unauthorized access? Are there tools or logs I should look at?
- System Hardening: Given this experience, I’d love advice on securing my VPS moving forward to prevent future issues.
Current Setup:
- My server is running Ubuntu 20.04.
- Ghost CMS is installed and running under the user
ghostuser
. - The suspicious process was related to Node.js (version
v20.11.1
installed using NVM).
I’d greatly appreciate any guidance on how to proceed. Thanks in advance for your help!
ghostuser@linux:/root$ ps aux --sort=-%mem | grep node
ghost 10010 1.9 17.5 11827620 183652 ? Sl 18:46 0:15 /home/ghostuser/.nvm/versions/node/v20.11.1/bin/node current/index.js
ghostus+ 12900 0.0 0.1 3308 1480 pts/0 S+ 19:00 0:00 grep node
Looking forward to hearing from the community.