High CPU apache nobody

[tank]

Hi all I have been noticing over the past several days that my server is running high cpu loads. Apache seems to be using lots of resources.

WHM Version 11.52.1

here is my top c

 402144 nobody    25   0  106m  17m 2544 R 96.1  0.1   3610:34 /usr/local/apache/bin/httpd -k start                    
938937 nobody    25   0  106m  17m 2492 R 94.7  0.1   1266:33 /usr/local/apache/bin/httpd -k start                    
375189 nobody    25   0  106m  18m 3308 R 86.5  0.1   3690:47 /usr/local/apache/bin/httpd -k start                    
831981 nobody    25   0  106m  17m 2840 R 82.9  0.1   1568:29 /usr/local/apache/bin/httpd -k start                    
520440 nobody    25   0  106m  17m 2572 R 78.2  0.1   9:57.52 /usr/local/apache/bin/httpd -k start                    
334131 nobody    25   0  106m  17m 2540 R 76.6  0.1 152:36.85 /usr/local/apache/bin/httpd -k start                    
536651 nobody    25   0  106m  18m 3304 R 58.8  0.1   3239:22 /usr/local/apache/bin/httpd -k start                    
463360 nobody    25   0  106m  18m 3564 R 55.5  0.1   3428:20 /usr/local/apache/bin/httpd -k start                    
524587 nobody    25   0  106m  17m 2520 R 46.2  0.1   3269:37 /usr/local/apache/bin/httpd -k start                    
514475 nobody    25   0  106m  17m 2520 R 45.9  0.1   3291:24 /usr/local/apache/bin/httpd -k start

I took a look at the apache status and this is what I several examples doing this.

0-0 463360 0/58/7769 W 44.03 218992 0 0.0 5.16 212.55 XX.XX.XX.XXX XXXX.com:80 POST //xmlrpc.php HTTP/1.0

These are wordpress related site as far as I can tell. Any ideas guys.

 

[Jcats]

Are you running DSO? If yes, you may want to run easyapache and select mod_ruid2 as it will allow the processes to run as the cPanel user.

You can use LSOF to help as well, example:

# lsof -p 15732 |grep /home
httpd   15732 CPUSER   48r   REG 182,193729   321284    1460018 /home/CPUSER/public_html/domain.com/themes/default-bootstrap/cache/v_47_1de9935608a5fce3cc504e3fd414df59.js

You can also tail all domlogs and see if any are being spammed, from what you posted it looks like someone is spamming the xmlrpc.php

# tail -f /usr/local/apache/domlogs/*/*

On our shared servers, we disable access to xmlrpc.php globally except for Jetpack, if you go to

WHM >

• Home »
• Service Configuration »
• Apache Configuration »
• Include Editor

Then select "Pre VirtualHost Include" and put in:

<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>

This will stop the attack and prevent it from happening on all sites.

 

[Eric]

Howdy,

What versions of apache/php/wordpress are you using? Also it's not a bad idea to strace one of those run away apache processes to find out what's going on.

Thanks!

 

[tank]

I am running suphp and php version 5.5.30. The versions of wordpress are all different. Some are up to date some are not.

I tailed the logs and and it looks like they are not being spammed. It just looks like this process just sits there using resources. I am going to add the include editor like you suggested. Thanks

I tried to do a strace and got:

# 
strace -p 164328
Process 164328 attached - interrupt to quit

Thanks guys

 

[garconcn]

I've seen this for a while. This is more likely an xmlrpc amplification attack.

Brute Force Amplification Attacks Against WordPress XMLRPC - Sucuri Blog

If you search the attacker IP, you will see another POST a few minutes before the xmlrpc.php. The 1st POST size is big, I suspect it contains many username/password combinations. In 2nd POST, it just brute force the login until tried all combinations. The process seems do not exit after it finish. If you strace the process, you probability see no activity. You can only catch it when it just start. Besides xmlrpc attack, I saw some other nobody process can use high CPU.

 

[tank]

Thanks guys I appreciate it. The fix of not allowing access to that file except by jet back worked great.