I experienced extraordinary CPU load on my hosting plan (a shared hosting plan with several websites hosted) and I found that many of the process came from one e-commerce website. I turned the website off and CPU load went down (was again in the normal zone).
I tried to figure out what was triggered this searching through the log files of the problematic website. I found the log files were created every 2-3 minutes, and all files contained similar code lines like the next block (I changed db user name, and the real folder names for the security reasons):
[20-Mar-2020 06:36:30 America/Chicago] PHP Warning: mysqli_connect(): (28000/1045): Access denied for user 'dbuser'@'localhost' (using password: YES) in /home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php on line 64
[20-Mar-2020 06:36:30 America/Chicago] Request URI: /, IP address: 31.13.103.24
#1 mysqli_connect() called at [/home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php:64]
#2 queryFactory->connect() called at [/home4/myroot/public_html/website_folder/includes/init_includes/init_database.php:23]
#3 require(/home4/myroot/public_html/website_folder/includes/init_includes/init_database.php) called at [/home4/myroot/public_html/website_folder/includes/autoload_func.php:48]
#4 require(/home4/myroot/public_html/website_folder/includes/autoload_func.php) called at [/home4/myroot/public_html/website_folder/includes/application_top.php:170]
#5 require(/home4/myroot/public_html/website_folder/includes/application_top.php) called at [/home4/myroot/public_html/website_folder/index.php:26]
and similar blocks of code that started with this line:
[24-Mar-2020 08:57:10 America/Chicago] PHP Warning: mysqli_connect(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO) in /home4/myroot/public_html/website_folder/includes/classes/db/mysql/query_factory.php on line 64
One log file contained dozens of these code blocks - one below the other. Does this look like external attempt in order to compromise the website (i.e. sql injection attempts)?
I see numerous log files with these lines correlated to high CPU load. Does anyone have explanation?
Thank you!