Process exe

[ZachICU]

After an update I notice a process

exe

eating up alot of memory.

I cant seem to track this down as to where its being run from.

Anyone have any suggestions?

Thanks
Zach

[ZachICU]

5717 nobody 16 0 496 460 428 R 97.2 0.0 0:06 exe

[Israel.lopez]

You could do a list open files and grep for that process name or PID.

lsof | grep exe or lsof | grep <PID>

It maybe a bnc server. Who knows.

[compunet2]

First, check your /tmp directory for the "exe" file (ls -la). If its not there, then, from / try: locate exe*. It may turn up a lot of results, but may help narrow it down.

[cyon]

After an update I notice a process

exe

eating up alot of memory.

I cant seem to track this down as to where its being run from.

Anyone have any suggestions?

Thanks
Zach

same problem here.
it keeps the load over 40 and every couple of seconds the PID changes.
this is a part of lsof:

Code:

exe       21318   nobody  cwd    DIR       58,1      4096          2 /
exe       21318   nobody  rtd    DIR       58,1      4096          2 /
exe       21318   nobody  txt    REG       58,2     84444        125 /tmp/upxBB1OAXQAP5J (deleted)
exe       21318   nobody  mem    REG       58,1     79864     116136 /lib/ld-2.3.2.so
exe       21318   nobody  mem    REG       58,1   1288460     115638 /lib/i686/libc-2.3.2.so
exe       21318   nobody    0u   CHR        1,3                17902 /dev/null
exe       21318   nobody    1u   CHR        1,3                17902 /dev/null
exe       21318   nobody    2u   CHR        1,3                17902 /dev/null
exe       21318   nobody    3u  sock        0,0              7921597 can't identify protocol
exe       21318   nobody    4u  sock        0,0              7928035 can't identify protocol
exe       21318   nobody    5u  sock        0,0              8115991 can't identify protocol
exe       21318   nobody    6u  sock        0,0              8295421 can't identify protocol
exe       21318   nobody    7u  sock        0,0              8496755 can't identify protocol
exe       21318   nobody    8u  sock        0,0             11271856 can't identify protocol
exe       21318   nobody    9u  sock        0,0             11463334 can't identify protocol
exe       21318   nobody   10u  sock        0,0             11831942 can't identify protocol
exe       21318   nobody   11u  sock        0,0             12012918 can't identify protocol
exe       21318   nobody   12u  sock        0,0             12904297 can't identify protocol
exe       21318   nobody   13u  sock        0,0             12963090 can't identify protocol
exe       21318   nobody   14u  sock        0,0             13062860 can't identify protocol
exe       21318   nobody   15w   REG       58,3 134058122     755272 /usr/local/apache/logs/error_log
exe       21318   nobody   16u  IPv4   37254614                  TCP server3.cyon.ch:49070->stream.jmi.or.jp:auth (ESTABLISHED)
exe       21318   nobody   18w   REG       58,3      1086     661433 /usr/local/apache/domlogs/xxxin.paxxxnz.ch-bytes_log
exe       21318   nobody   19w   REG       58,3      4564     661441 /usr/local/apache/domlogs/wikxi.nxx.ch-bytes_log
exe       21318   nobody   20w   REG       58,3         0     661385 /usr/local/apache/domlogs/fixxxeva.ch-bytes_log
exe       21318   nobody   21w   REG       58,3      1179     661310 /usr/local/apache/domlogs/mxxesign.mxdu.ch-bytes_log
exe       21318   nobody   22w   REG       58,3         0     661523 /usr/local/apache/domlogs/radio.thecause.com-bytes_log

from here are hundreds of processes with /usr/local/apache/domlogs/...

any ideas?

[cass]

Same here ... found this on one server...
wtf is this exe ??!?!

running as nobody... changes the PID every xx seconds... is something from cpanel?!?...
or anyone running something?
I've search on the server and not found any file called exe ... weird.

any way to see where is the command being run ?
where was the file executed from ...etc?

Regards.

[cass]

Oh well... I figured to know the cmd...
used to be proftpd... ¿?

doing a cat /proc/3514/cmdline (3514 was this moment pid for the exe process)
I got:
proftpd: (accepting connections)

so... I restarted proftpd... and it keep the same...

then I ps ax | grep proftpd ... and found TWO of them...

11980 ? S 0:00 proftpd: (accepting connections)
4047 ? R 0:09 proftpd: (accepting connections)
4058 pts/3 R 0:00 grep proft

then killed both... and startedcpanel proftpd... exe gone away.

The question is ...
was this ANOTHER PROFTD running?
was this a CPANEL BUG or something?
Why was this proftpd running this exe process?
Why was it consuming such cpu resources?
Or ... maybe is a bug on proftpd... ?

Anyone at cpanel could please let me know if this has something to do with cpanel please.
(this server was using last 9.7.7 release)
but I dont know if the issue was while running the update, when the update was ran... or so, cause I discovered this an hour after than upgrading... didn't checked before.

Regards.