The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High CPU apache nobody

Discussion in 'General Discussion' started by tank, Nov 28, 2015.

  1. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Hi all I have been noticing over the past several days that my server is running high cpu loads. Apache seems to be using lots of resources.

    WHM Version 11.52.1

    here is my top c
    Code:
     402144 nobody    25   0  106m  17m 2544 R 96.1  0.1   3610:34 /usr/local/apache/bin/httpd -k start                    
938937 nobody    25   0  106m  17m 2492 R 94.7  0.1   1266:33 /usr/local/apache/bin/httpd -k start                    
375189 nobody    25   0  106m  18m 3308 R 86.5  0.1   3690:47 /usr/local/apache/bin/httpd -k start                    
831981 nobody    25   0  106m  17m 2840 R 82.9  0.1   1568:29 /usr/local/apache/bin/httpd -k start                    
520440 nobody    25   0  106m  17m 2572 R 78.2  0.1   9:57.52 /usr/local/apache/bin/httpd -k start                    
334131 nobody    25   0  106m  17m 2540 R 76.6  0.1 152:36.85 /usr/local/apache/bin/httpd -k start                    
536651 nobody    25   0  106m  18m 3304 R 58.8  0.1   3239:22 /usr/local/apache/bin/httpd -k start                    
463360 nobody    25   0  106m  18m 3564 R 55.5  0.1   3428:20 /usr/local/apache/bin/httpd -k start                    
524587 nobody    25   0  106m  17m 2520 R 46.2  0.1   3269:37 /usr/local/apache/bin/httpd -k start                    
514475 nobody    25   0  106m  17m 2520 R 45.9  0.1   3291:24 /usr/local/apache/bin/httpd -k start
    I took a look at the apache status and this is what I several examples doing this.

    Code:
    0-0 463360 0/58/7769 W 44.03 218992 0 0.0 5.16 212.55 XX.XX.XX.XXX XXXX.com:80 POST //xmlrpc.php HTTP/1.0
    These are wordpress related site as far as I can tell. Any ideas guys.
     
    #1 tank, Nov 28, 2015
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    566
    Likes Received:
    79
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Are you running DSO? If yes, you may want to run easyapache and select mod_ruid2 as it will allow the processes to run as the cPanel user.

    You can use LSOF to help as well, example:

    Code:
    # lsof -p 15732 |grep /home
httpd   15732 CPUSER   48r   REG 182,193729   321284    1460018 /home/CPUSER/public_html/domain.com/themes/default-bootstrap/cache/v_47_1de9935608a5fce3cc504e3fd414df59.js
    You can also tail all domlogs and see if any are being spammed, from what you posted it looks like someone is spamming the xmlrpc.php

    Code:
    # tail -f /usr/local/apache/domlogs/*/*
    On our shared servers, we disable access to xmlrpc.php globally except for Jetpack, if you go to

    WHM >
    • Home »
    • Service Configuration »
    • Apache Configuration »
    • Include Editor

    Then select "Pre VirtualHost Include" and put in:

    Code:
    <FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>
    This will stop the attack and prevent it from happening on all sites.
     
    #2 Jcats, Nov 29, 2015
    tank likes this.
  3. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    752
    Likes Received:
    11
    Trophy Points:
    143
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    What versions of apache/php/wordpress are you using? Also it's not a bad idea to strace one of those run away apache processes to find out what's going on.

    Thanks!
     
    #3 Eric, Nov 29, 2015
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    I am running suphp and php version 5.5.30. The versions of wordpress are all different. Some are up to date some are not.

    I tailed the logs and and it looks like they are not being spammed. It just looks like this process just sits there using resources. I am going to add the include editor like you suggested. Thanks

    I tried to do a strace and got:
    Code:
    # 
strace -p 164328
Process 164328 attached - interrupt to quit
    Thanks guys
     
    #4 tank, Nov 30, 2015
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    I've seen this for a while. This is more likely an xmlrpc amplification attack.

    Brute Force Amplification Attacks Against WordPress XMLRPC - Sucuri Blog

    If you search the attacker IP, you will see another POST a few minutes before the xmlrpc.php. The 1st POST size is big, I suspect it contains many username/password combinations. In 2nd POST, it just brute force the login until tried all combinations. The process seems do not exit after it finish. If you strace the process, you probability see no activity. You can only catch it when it just start. Besides xmlrpc attack, I saw some other nobody process can use high CPU.
     
    #5 garconcn, Dec 3, 2015
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Thanks guys I appreciate it. The fix of not allowing access to that file except by jet back worked great.
     
    #6 tank, Dec 4, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - High apache nobody
  1. benash

    Config apache for high traffic

    benash, Nov 4, 2016, in forum: Workarounds and Optimization
    Replies:
    6
    Views:
    770
    SpaceCowboy
    Nov 12, 2016
  2. Monto

    Backup causing high loads

    Monto, Jul 22, 2017 at 5:24 PM, in forum: General Discussion
    Replies:
    2
    Views:
    56
    Monto
    Jul 24, 2017 at 4:09 PM
  3. theallan

    pigz / pkgacct high cpu

    theallan, Jul 13, 2017, in forum: Data Protection
    Replies:
    1
    Views:
    88
    cPanelMichael
    Jul 13, 2017
  4. divemasterza

    p0f running high cpu (close to 100%)

    divemasterza, Jul 5, 2017, in forum: General Discussion
    Replies:
    3
    Views:
    70
    cPanelMichael
    Jul 5, 2017
  5. nirbhay712

    High Memory usage on New VPS

    nirbhay712, Jun 25, 2017, in forum: General Discussion
    Replies:
    4
    Views:
    101
    cPanelMichael
    Jun 26, 2017

Share This Page