Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

High CPU apache nobody

Discussion in 'General Discussion' started by tank, Nov 28, 2015.

  1. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    254
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Hi all I have been noticing over the past several days that my server is running high cpu loads. Apache seems to be using lots of resources.

    WHM Version 11.52.1

    here is my top c
    Code:
     402144 nobody    25   0  106m  17m 2544 R 96.1  0.1   3610:34 /usr/local/apache/bin/httpd -k start                    
938937 nobody    25   0  106m  17m 2492 R 94.7  0.1   1266:33 /usr/local/apache/bin/httpd -k start                    
375189 nobody    25   0  106m  18m 3308 R 86.5  0.1   3690:47 /usr/local/apache/bin/httpd -k start                    
831981 nobody    25   0  106m  17m 2840 R 82.9  0.1   1568:29 /usr/local/apache/bin/httpd -k start                    
520440 nobody    25   0  106m  17m 2572 R 78.2  0.1   9:57.52 /usr/local/apache/bin/httpd -k start                    
334131 nobody    25   0  106m  17m 2540 R 76.6  0.1 152:36.85 /usr/local/apache/bin/httpd -k start                    
536651 nobody    25   0  106m  18m 3304 R 58.8  0.1   3239:22 /usr/local/apache/bin/httpd -k start                    
463360 nobody    25   0  106m  18m 3564 R 55.5  0.1   3428:20 /usr/local/apache/bin/httpd -k start                    
524587 nobody    25   0  106m  17m 2520 R 46.2  0.1   3269:37 /usr/local/apache/bin/httpd -k start                    
514475 nobody    25   0  106m  17m 2520 R 45.9  0.1   3291:24 /usr/local/apache/bin/httpd -k start
    I took a look at the apache status and this is what I several examples doing this.

    Code:
    0-0 463360 0/58/7769 W 44.03 218992 0 0.0 5.16 212.55 XX.XX.XX.XXX XXXX.com:80 POST //xmlrpc.php HTTP/1.0
    These are wordpress related site as far as I can tell. Any ideas guys.
     
    #1 tank, Nov 28, 2015
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    718
    Likes Received:
    122
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Are you running DSO? If yes, you may want to run easyapache and select mod_ruid2 as it will allow the processes to run as the cPanel user.

    You can use LSOF to help as well, example:

    Code:
    # lsof -p 15732 |grep /home
httpd   15732 CPUSER   48r   REG 182,193729   321284    1460018 /home/CPUSER/public_html/domain.com/themes/default-bootstrap/cache/v_47_1de9935608a5fce3cc504e3fd414df59.js
    You can also tail all domlogs and see if any are being spammed, from what you posted it looks like someone is spamming the xmlrpc.php

    Code:
    # tail -f /usr/local/apache/domlogs/*/*
    On our shared servers, we disable access to xmlrpc.php globally except for Jetpack, if you go to

    WHM >
    • Home »
    • Service Configuration »
    • Apache Configuration »
    • Include Editor

    Then select "Pre VirtualHost Include" and put in:

    Code:
    <FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>
    This will stop the attack and prevent it from happening on all sites.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Jcats, Nov 29, 2015
    tank likes this.
  3. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    751
    Likes Received:
    11
    Trophy Points:
    143
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    What versions of apache/php/wordpress are you using? Also it's not a bad idea to strace one of those run away apache processes to find out what's going on.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 Eric, Nov 29, 2015
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    254
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    I am running suphp and php version 5.5.30. The versions of wordpress are all different. Some are up to date some are not.

    I tailed the logs and and it looks like they are not being spammed. It just looks like this process just sits there using resources. I am going to add the include editor like you suggested. Thanks

    I tried to do a strace and got:
    Code:
    # 
strace -p 164328
Process 164328 attached - interrupt to quit
    Thanks guys
     
    #4 tank, Nov 30, 2015
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    132
    Likes Received:
    6
    Trophy Points:
    68
    I've seen this for a while. This is more likely an xmlrpc amplification attack.

    Brute Force Amplification Attacks Against WordPress XMLRPC - Sucuri Blog

    If you search the attacker IP, you will see another POST a few minutes before the xmlrpc.php. The 1st POST size is big, I suspect it contains many username/password combinations. In 2nd POST, it just brute force the login until tried all combinations. The process seems do not exit after it finish. If you strace the process, you probability see no activity. You can only catch it when it just start. Besides xmlrpc attack, I saw some other nobody process can use high CPU.
     
    #5 garconcn, Dec 3, 2015
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    254
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Thanks guys I appreciate it. The fix of not allowing access to that file except by jet back worked great.
     
    #6 tank, Dec 4, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - High apache nobody
  1. benash

    Config apache for high traffic

    benash, Nov 4, 2016, in forum: Workarounds and Optimization
    Replies:
    6
    Views:
    1,664
    SpaceCowboy
    Nov 12, 2016
  2. Brian Mniko

    Hight load issue

    Brian Mniko, Jul 30, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    50
    cPanelMichael
    Jul 31, 2018
  3. Benjamin D.

    High load coming from /usr/sbin/mysqld --daemonize?

    Benjamin D., Jul 26, 2018, in forum: Database Discussion
    Replies:
    9
    Views:
    193
    Benjamin D.
    Aug 1, 2018
  4. mythosis

    Nobody High CPU HTTPD

    mythosis, Jul 25, 2018, in forum: EasyApache
    Replies:
    5
    Views:
    107
    cPanelMichael
    Jul 31, 2018
  5. SupraMario

    php-cgi high load issues

    SupraMario, Jul 16, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    149
    cPanelMichael
    Jul 17, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice