The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CURL problem, Curl is taking the server load to 40+ Help Please!

Discussion in 'General Discussion' started by badawi, May 13, 2005.

  1. badawi

    badawi Member

    Joined:
    Jan 27, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I really hope you guys can give me a hand in this issue.
    I have had this box hacked 3 days ago, we installed a new OS and fresh CPanel/WHM installation.
    I recompiled Apache as well with CURL.
    The problem is that the server is going in enormous loads (never before went over 2, now it is reaching 40s

    The server is 3.2GH HT with 1GB RAM, Fedora i686

    Here is the output of top:


    top - 06:18:47 up 16:25, 1 user, load average: 30.45, 26.19, 21.20
    Tasks: 229 total, 31 running, 196 sleeping, 2 stopped, 0 zombie
    Cpu(s): 20.8% us, 76.7% sy, 0.0% ni, 0.0% id, 2.5% wa, 0.0% hi, 0.0% si
    Mem: 967480k total, 844780k used, 122700k free, 101580k buffers
    Swap: 2096440k total, 219192k used, 1877248k free, 83440k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    6328 nobody 25 0 5744 1584 1372 R 7.0 0.2 35:17.34 curl
    22173 nobody 25 0 5740 1652 1372 R 7.0 0.2 6:47.57 curl
    22915 nobody 25 0 5736 1648 1372 R 7.0 0.2 5:51.47 curl
    23987 nobody 25 0 5744 1656 1372 R 7.0 0.2 4:48.85 curl
    29236 nobody 25 0 5744 1656 1372 R 7.0 0.2 0:54.90 curl
    29796 nobody 25 0 5740 1652 1372 R 7.0 0.2 0:39.33 curl
    31062 nobody 25 0 5740 1652 1372 R 7.0 0.2 0:03.93 curl
    32398 nobody 25 0 5740 1556 1276 R 6.6 0.2 76:02.72 curl
    11519 nobody 25 0 5744 1652 1372 R 6.6 0.2 26:19.65 curl
    19538 nobody 25 0 5740 1652 1372 R 6.6 0.2 9:39.42 curl
    20500 nobody 25 0 5740 1532 1372 R 6.6 0.2 8:10.44 curl
    20591 nobody 25 0 5744 1656 1372 R 6.6 0.2 8:03.26 curl
    20889 nobody 25 0 5740 1652 1372 R 6.6 0.2 7:42.45 curl
    24390 nobody 25 0 5736 1648 1372 R 6.6 0.2 4:21.20 curl
    29166 nobody 25 0 5744 1656 1372 R 6.6 0.2 0:59.12 curl
    29347 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:51.11 curl
    29863 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:39.38 curl
    30044 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:31.33 curl
    30129 nobody 25 0 5744 1656 1372 R 6.6 0.2 0:27.50 curl
    30212 nobody 25 0 5736 1648 1372 R 6.6 0.2 0:25.92 curl
    30277 nobody 25 0 5736 1648 1372 R 6.6 0.2 0:24.82 curl
    30422 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:22.81 curl
    30441 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:21.61 curl
    30790 nobody 25 0 5736 1648 1372 R 6.6 0.2 0:14.79 curl
    30879 nobody 25 0 5740 1652 1372 R 6.6 0.2 0:12.91 curl
    30965 nobody 25 0 5744 1656 1372 R 6.6 0.2 0:09.82 curl
    21356 nobody 25 0 5744 1656 1372 R 6.3 0.2 7:18.64 curl
    28412 nobody 25 0 5744 1652 1372 R 6.3 0.2 1:49.19 curl
    29963 nobody 25 0 5740 1652 1372 R 6.3 0.2 0:35.60 curl
    1458 nobody 15 0 28564 19m 5016 S 0.3 2.0 0:16.12 httpd
    1461 nobody 15 0 31080 21m 5056 S 0.3 2.3 0:25.25 httpd


    Look at the amount of CURL in there!


    What can I do to fix it? if any information is required please ask and I will post it.

    Regards and thanks to all who takes the time and effort to help.
     
  2. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Take a look at 'lsof -u nobody" to see what files nobody is accessing. It sounds like somebody is running some sort of a script that is causing it to run out of control. I would first try to stop apache then run it, with luck curl will keep running. If curl stops then I would temporarily block port 80 incoming. The problem is if you have a busy server apache will be accessing a lot at any given time.
     
  3. badawi

    badawi Member

    Joined:
    Jan 27, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Long live BurstNet, they fixed it for me.

    Thanks for everyone that put the effort to read the post.
    And sorry I don't know what Burst have done to fix it.
     
  4. correctsearch

    correctsearch Active Member

    Joined:
    Sep 24, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Yesterday I have installed CURL and I am having the same problem of server load.

    I received an email as

    The current load/uptime line
    on the server at the time of
    this email is
    07:42:59 up 157 days, 21:30, 0 users, load average: 6.24, 6.25, 6.27
    You should check the server to see why the load is so high and take steps to lower the load.

    Could you please help me minimize my server load?

    How to check what process is causing server load?
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    In shell run this command: ps aux

    See what processes (on the far right) are being used by CURl and kill them.
     
  6. correctsearch

    correctsearch Active Member

    Joined:
    Sep 24, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I ran following command and have listed the output. I can see so many logs created by nobody. It is causing server load. What should I do stop server load

    Command: ps aux

    mysql 5142 0.0 1.9 36220 19680 ? S May15 0:00 /usr/sbin/m
    root 10332 0.0 0.6 10176 7088 ? SN May15 0:11 cpanellogd
    root 10334 0.0 0.4 8176 4772 ? S May15 0:00 cppop - acc
    mailnull 10341 0.0 0.2 6684 2376 ? S May15 0:00 /usr/bin/pe
    mysql 10342 0.0 1.9 36220 19680 ? S May15 0:00 /usr/sbin/m
    mailman 10370 0.0 0.4 8600 4644 ? S May15 0:00 /usr/bin/py
    nobody 10398 0.0 0.0 1732 612 ? S May15 0:00 /usr/local/
    nobody 10400 0.0 0.1 4092 1096 ? S May15 0:00 entropychat
    cpanel 10478 0.0 0.4 34420 4144 ? S May15 0:00 interchange
    cpanel 10549 0.0 0.1 4652 1460 ? S May15 0:00 /usr/bin/st
    root 10552 0.0 0.5 9548 5240 ? S May15 0:00 cpsrvd - wa
    root 20012 15.8 0.0 6808 912 ? R May16 316:37 pico -w -z
    compare 21682 0.0 0.6 10176 7088 ? SN May17 0:00 cpanellogd
    compare 21683 0.0 0.0 1360 340 ? SN May17 0:00 /usr/local/
    compare 21684 0.0 0.0 2328 16 ? TN May17 0:00 /usr/bin/pe
    root 27070 0.0 0.5 12796 5296 ? S May17 0:00 /usr/local/
    nobody 27076 0.0 0.8 14836 8376 ? S May17 0:10 /usr/local/
    nobody 27100 0.0 0.8 14932 8320 ? S May17 0:07 /usr/local/
    mailnull 27252 0.0 0.1 8044 1616 ? S May17 0:00 /usr/sbin/e
    root 27276 0.0 1.9 22136 19712 ? S May17 0:00 /usr/bin/sp
    root 27297 0.0 0.1 3392 1272 ? S May17 0:00 antirelayd
    root 27324 0.0 2.1 24336 21972 ? S May17 0:08 spamd child
    mysql 27345 0.0 1.9 36220 19680 ? S May17 0:02 /usr/sbin/m
    nobody 27347 0.0 0.8 14856 8208 ? S May17 0:08 /usr/local/
    nobody 27443 0.0 0.8 14840 8372 ? S May17 0:07 /usr/local/
    mysql 16178 0.0 1.9 36220 19680 ? S 08:23 0:00 /usr/sbin/m

    Command: lsof -u nobody

    httpd 27443 nobody 64w REG 3,3 99956 10764290 /usr/local/apache/logs/ssl_engine_log
    httpd 27443 nobody 65w REG 3,3 0 10764530 /usr/local/apache/logs/ssl_mutex.27067
    httpd 27443 nobody 66w REG 3,3 75822643 10764409 /usr/local/apache/logs/access_log
    httpd 27443 nobody 67w REG 3,3 13164 6537621 /usr/local/apache/domlogs/mail.correctsearch.com
    httpd 27443 nobody 68w REG 3,3 1296 6537622 /usr/local/apache/domlogs/2lookup.com
    httpd 27443 nobody 69w REG 3,3 1242 6537617 /usr/local/apache/domlogs/al-nawadir.net
    httpd 27443 nobody 70w REG 3,3 0 6537469 /usr/local/apache/domlogs/guugul.com
    httpd 27443 nobody 71w REG 3,3 15387 6537567 /usr/local/apache/domlogs/detroitguide.net
    httpd 27443 nobody 72w REG 3,3 162189 6537413 /usr/local/apache/domlogs/correctsearch.net
    httpd 27443 nobody 73w REG 3,3 168035 6537471 /usr/local/apache/domlogs/sitetoregister.com
    httpd 27443 nobody 74w REG 3,3 623117 6537599 /usr/local/apache/domlogs/explorewww.com
    httpd 27443 nobody 75w REG 3,3 45563599 6537401 /usr/local/apache/domlogs/correctsearch.com
    httpd 27443 nobody 76w REG 3,3 104962 6537537 /usr/local/apache/domlogs/artbyagar.com

    Please give me suggestion, how to take control of this.
     
Loading...

Share This Page