WHM 54.0 (build 15)- mod_ruid2, PHP-FPM for cpanel enabled.
I've gotten high cpu warnings from CSF last night. Saw them this morning and figured people were attacking the server somehow. Processes belonged to nobody and named accounts.
This morning I went into the Process manager and ran a trace on httpd owned by nobody. This is what I found.
It looks like it's scanning an account and I've seen it do it to a different account.
The beef is that I've never ran a trace before and don't know if this is normal.
Looks suspicious as hell, to me, but I figured I'd post here and ask you guys.
What do you think about the strace below? Done on a httpd process belonging to nobody and taking up 4% CPU in process manager.
I've gotten high cpu warnings from CSF last night. Saw them this morning and figured people were attacking the server somehow. Processes belonged to nobody and named accounts.
This morning I went into the Process manager and ran a trace on httpd owned by nobody. This is what I found.
It looks like it's scanning an account and I've seen it do it to a different account.
The beef is that I've never ran a trace before and don't know if this is normal.
Looks suspicious as hell, to me, but I figured I'd post here and ask you guys.
What do you think about the strace below? Done on a httpd process belonging to nobody and taking up 4% CPU in process manager.
Code:
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", O_RDONLY) = 209
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 1229, PROT_READ, MAP_SHARED, 209, 0) = 0x7f5de0795000
fcntl(209, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
lseek(209, 0, SEEK_CUR) = 0
read(209, "<?php\n/**\n * @copyright Copyrig"..., 4096) = 1229
lseek(209, 1229, SEEK_SET) = 1229
munmap(0x7f5de0795000, 1229) = 0
lseek(209, -1229, SEEK_CUR) = 0
close(209) = 0
munmap(0x7f5de0794000, 4096) = 0
Last edited by a moderator: