User account infected

Hi

I have an user account which is making CPU run at 100%

I tried using various scanners (Website built using wordpress). Nothing found.

ClamAV says account is clean

If I suspend account, server CPU uses becomes 1-5%





https://ibb.co/hPTWt2d
https://ibb.co/CspsBwdv
https://ibb.co/DPSwD8Bs

Please suggest

Is the user's site running WordPress? I've seen a few get infected before.

Yes. Running on wordpress.

None of scanner plugins like Wordfence detecting anything

This isn't a CWP bug.

From your images, it looks like your server fell victim to a PHP Injection Attack due to PHP not being secured correctly.

You can search the forums, they have how to cleanup the PHP infection.

What OS are you running?
What PHP version?

Update all your plugins (one or more probably has a security vulnerability), install & run iThemes Security. Look at Sucuri's products/services.

Check PHP files for malicious injections -- sometimes the first < ?php line has added code to the far right after many spaces to try to hide it. The CLI utility less shows it one way, but a code editor like nano puts a dollar sign to the right so you see the line is truncated and continues off the screen to the right. You can also look for malicious base64 encoded files, which attempt to obfuscate their real purpose. UnPHP is a good online decoder for such files:
https://www.unphp.net

Check this out to see what scripts are running.

https://maxchadwick.xyz/blog/getting-the-php-fpm-status-from-the-command-line