The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High CPU apache nobody

Discussion in 'General Discussion' started by tank, Nov 28, 2015.

  1. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Hi all I have been noticing over the past several days that my server is running high cpu loads. Apache seems to be using lots of resources.

    WHM Version 11.52.1

    here is my top c
    Code:
     402144 nobody    25   0  106m  17m 2544 R 96.1  0.1   3610:34 /usr/local/apache/bin/httpd -k start                    
    938937 nobody    25   0  106m  17m 2492 R 94.7  0.1   1266:33 /usr/local/apache/bin/httpd -k start                    
    375189 nobody    25   0  106m  18m 3308 R 86.5  0.1   3690:47 /usr/local/apache/bin/httpd -k start                    
    831981 nobody    25   0  106m  17m 2840 R 82.9  0.1   1568:29 /usr/local/apache/bin/httpd -k start                    
    520440 nobody    25   0  106m  17m 2572 R 78.2  0.1   9:57.52 /usr/local/apache/bin/httpd -k start                    
    334131 nobody    25   0  106m  17m 2540 R 76.6  0.1 152:36.85 /usr/local/apache/bin/httpd -k start                    
    536651 nobody    25   0  106m  18m 3304 R 58.8  0.1   3239:22 /usr/local/apache/bin/httpd -k start                    
    463360 nobody    25   0  106m  18m 3564 R 55.5  0.1   3428:20 /usr/local/apache/bin/httpd -k start                    
    524587 nobody    25   0  106m  17m 2520 R 46.2  0.1   3269:37 /usr/local/apache/bin/httpd -k start                    
    514475 nobody    25   0  106m  17m 2520 R 45.9  0.1   3291:24 /usr/local/apache/bin/httpd -k start  
    I took a look at the apache status and this is what I several examples doing this.

    Code:
    0-0 463360 0/58/7769 W 44.03 218992 0 0.0 5.16 212.55 XX.XX.XX.XXX XXXX.com:80 POST //xmlrpc.php HTTP/1.0
    
    These are wordpress related site as far as I can tell. Any ideas guys.
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Are you running DSO? If yes, you may want to run easyapache and select mod_ruid2 as it will allow the processes to run as the cPanel user.

    You can use LSOF to help as well, example:

    Code:
    # lsof -p 15732 |grep /home
    httpd   15732 CPUSER   48r   REG 182,193729   321284    1460018 /home/CPUSER/public_html/domain.com/themes/default-bootstrap/cache/v_47_1de9935608a5fce3cc504e3fd414df59.js
    You can also tail all domlogs and see if any are being spammed, from what you posted it looks like someone is spamming the xmlrpc.php

    Code:
    # tail -f /usr/local/apache/domlogs/*/*
    On our shared servers, we disable access to xmlrpc.php globally except for Jetpack, if you go to

    WHM >
    • Home »
    • Service Configuration »
    • Apache Configuration »
    • Include Editor

    Then select "Pre VirtualHost Include" and put in:

    Code:
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Deny from all
    </FilesMatch>
    This will stop the attack and prevent it from happening on all sites.
     
    tank likes this.
  3. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    What versions of apache/php/wordpress are you using? Also it's not a bad idea to strace one of those run away apache processes to find out what's going on.

    Thanks!
     
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    I am running suphp and php version 5.5.30. The versions of wordpress are all different. Some are up to date some are not.

    I tailed the logs and and it looks like they are not being spammed. It just looks like this process just sits there using resources. I am going to add the include editor like you suggested. Thanks

    I tried to do a strace and got:
    Code:
    # 
    strace -p 164328
    Process 164328 attached - interrupt to quit
    Thanks guys
     
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    I've seen this for a while. This is more likely an xmlrpc amplification attack.

    Brute Force Amplification Attacks Against WordPress XMLRPC - Sucuri Blog

    If you search the attacker IP, you will see another POST a few minutes before the xmlrpc.php. The 1st POST size is big, I suspect it contains many username/password combinations. In 2nd POST, it just brute force the login until tried all combinations. The process seems do not exit after it finish. If you strace the process, you probability see no activity. You can only catch it when it just start. Besides xmlrpc attack, I saw some other nobody process can use high CPU.
     
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Thanks guys I appreciate it. The fix of not allowing access to that file except by jet back worked great.
     
Loading...

Share This Page