Hi all
Last friday I receive a mail from Dreamhost staff telling me that my hosting server was crashing a bit too frequently. They said that it appears to be over utilization of the
CPU processing time. They send me some information that I did not understand very well. Something like this:
"The entire server should be at no more than 2000cp so being at almost
800cp is around 40% (that's not really appropriate for shared hosting). I
did some investigating as it's quite often a bad IP or bot
(http://wiki.dreamhost.com/Finding_Causes_of_Heavy_Usage) and found this:
28 86.143.167.201
29 209.189.130.130
29 86.157.244.107
32 84.40.22.45
35 89.123.151.254
46 66.249.66.35
106 85.86.111.31
147 91.3.218.212
9274 208.113.244.19
scipio: 04:25 PM# pwd
/home/jlacalle/logs/jakintzazu.net/http
That IP is your own apache server - it should never show up in your
access.log and the fact that it is there indicates that you have a loop
in your code (perhaps on your index page somewhere that it references
itself) or in your .htaccess file for the site if you have one. This
causes major performance issues and so I have had to disable the domain
until you can correct this."
So I checked my site via ftp and I was very surprised when I found in the root some folders named i-play.org, mpva.com.au, saru-san.com and spam1999.sytes.com that there were never be there. I also found another one named Maildir with three subfolders: cur, new and tmp. The second one was full of extrange files with extrange names (1201111203.V1bI31e335e.scipio.dreamhost.com, for example).Finally, inside my WPMU instalation folder I found a very extarnge file named "Core" that there isn't any relation with WPMU.
I have never been in a similar situation but I think that this means that my site was hacked.
I have deleted all those shitty folders, I have updated WPMU to the last version (from 1.2.5a to 1.3), I have changed my admin access password but the issue isn't fixed yet.
This is the first time that I have to face up to something like this. This morning I've made a database copy and another one of the entire site.
So what do you think is the best way to fix this problem? What can I do? Any help would appreciated