High CPU load overnight and funny strace today.

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
WHM 54.0 (build 15)- mod_ruid2, PHP-FPM for cpanel enabled.

I've gotten high cpu warnings from CSF last night. Saw them this morning and figured people were attacking the server somehow. Processes belonged to nobody and named accounts.

This morning I went into the Process manager and ran a trace on httpd owned by nobody. This is what I found.

It looks like it's scanning an account and I've seen it do it to a different account.

The beef is that I've never ran a trace before and don't know if this is normal.
Looks suspicious as hell, to me, but I figured I'd post here and ask you guys.
What do you think about the strace below? Done on a httpd process belonging to nobody and taking up 4% CPU in process manager.


Code:
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", O_RDONLY) = 209
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 1229, PROT_READ, MAP_SHARED, 209, 0) = 0x7f5de0795000
fcntl(209, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
lseek(209, 0, SEEK_CUR)                 = 0
read(209, "<?php\n/**\n * @copyright  Copyrig"..., 4096) = 1229
lseek(209, 1229, SEEK_SET)              = 1229
munmap(0x7f5de0795000, 1229)            = 0
lseek(209, -1229, SEEK_CUR)             = 0
close(209)                              = 0
munmap(0x7f5de0794000, 4096)            = 0
 
Last edited by a moderator:

syslint

Well-Known Member
Verifed Vendor
Oct 9, 2006
268
7
168
India
cPanel Access Level
Root Administrator
Twitter
Hi,
I think it need more logs for trouble shooting this issue. You said you got the load on night. How is your backup configuration ? Do you have any type of heavy traffic on that time ?
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
Process manager currently reports 4 httpd processes, owned by nobody, consuming 6%, 3% and two with 1%

So, is it normal for httpd nobody be reading /home/blahblah? I'm wondering if I'm chasing ghosts.
Trace on the process with 6% shows it hitting the magento install, again.

Code:
Process 19763 attached
restart_syscall(<... resuming interrupted call ...>) = 0
writev(207, [{"\27\3\3\0)\236]*\375\307\357LUu\250.U)\235\343\na\376j\372\206\362BL)\252\353"..., 46}], 1) = 46
writev(207, [{"\25\3\3\0\32\236]*\375\307\357LVb^\5]\211\206\311C5c \237q\227\32\227*y", 31}], 1) = 31
shutdown(207, SHUT_WR)                  = 0
poll([{fd=207, events=POLLIN}], 1, 2000) = 0 (Timeout)
close(207)                              = 0
read(10, 0x7ffeb529bf4b, 1)             = -1 EAGAIN (Resource temporarily unavailable)
semop(9830410, {{0, -1, SEM_UNDO}}, 1)  = 0
epoll_wait(205, {}, 4, 10000)           = 0
epoll_wait(205, {{EPOLLIN, {u32=87201208, u64=87201208}}}, 4, 10000) = 1
accept4(6, {sa_family=AF_INET, sin_port=htons(16616), sin_addr=inet_addr("77.75.76.167")}, [16], SOCK_CLOEXEC) = 207
semop(9830410, {{0, 1, SEM_UNDO}}, 1)   = 0
getsockname(207, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("198.46.237.187")}, [16]) = 0
fcntl(207, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl(207, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
read(207, "GET /robots.txt HTTP/1.1\r\nHost: "..., 8000) = 228
open("/dev/urandom", O_RDONLY)          = 208
read(208, "\350\305\344\5\301s\344\213\237\342\302V\316\230zW\217\25\2742\205\24\272(\4G\317.\276\321\375\222"..., 64) = 64
close(208)                              = 0
open("/dev/urandom", O_RDONLY)          = 208
read(208, "P*v\f\363\16\274^\250\243\351 \303\324\373\35\335\312\270\240\332#\264\364\375\23x9\216`x\23"..., 64) = 64
close(208)                              = 0
open("/var/cpanel/secdatadir/global.dir", O_RDONLY|O_CLOEXEC) = 208
open("/var/cpanel/secdatadir/global.pag", O_RDONLY|O_CLOEXEC) = 209
fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
lseek(209, 0, SEEK_SET)                 = 0
read(209, "", 1024)                     = 0
fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
close(208)                              = 0
close(209)                              = 0
open("/var/cpanel/secdatadir/ip.dir", O_RDONLY|O_CLOEXEC) = 208
open("/var/cpanel/secdatadir/ip.pag", O_RDONLY|O_CLOEXEC) = 209
fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0
fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0
lseek(208, 0, SEEK_SET)                 = 0
read(208, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\373\371\377\377\377\367\377\377\177"..., 4096) = 4096
lseek(209, 31744, SEEK_SET)             = 31744
read(209, "\0\0\312\3\247\2w\2T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024
fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
close(208)                              = 0
close(209)                              = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setgroups(0, [])                        = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setgid(1019)                            = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setuid(1019)                            = 0
prctl(PR_SET_DUMPABLE, 1)               = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
stat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory)
open("/.htaccess", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
open("/home/indian05/public_html/.htaccess", O_RDONLY|O_CLOEXEC) = 208
fstat(208, {st_mode=S_IFREG|0755, st_size=6551, ...}) = 0
read(208, "#RewriteEngine On \n#RewriteCond "..., 4096) = 4096
read(208, "irectoryhere/.*$\n    #RewriteCon"..., 4096) = 2455
read(208, "", 4096)                     = 0
close(208)                              = 0
lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setgroups(0, [])                        = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setgid(1019)                            = 0
tgkill(19763, 19764, SIGRT_1)           = 0
setuid(1019)                            = 0
prctl(PR_SET_DUMPABLE, 1)               = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
open("/dev/urandom", O_RDONLY)          = 208
read(208, "^3,\231\346\336\263\355$\247\25\360\17\226Jb]N\374\370\335\303\370sy<\250\35\356\245\275\217"..., 64) = 64
close(208)                              = 0
open("/dev/urandom", O_RDONLY)          = 208
read(208, "\315\220\266\206\256g\233;\334\337\230\332&\372\207Z\340\2409\tb\213\275C\373\225:4\375l%\222"..., 64) = 64
close(208)                              = 0
stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory)
stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory)
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
rt_sigaction(SIGPROF, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
getcwd("/", 4095)                       = 2
chdir("/home/indian05/public_html")     = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0
lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/index.php", O_RDONLY) = 208
fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
munmap(0x7f5de0795000, 2614)            = 0
close(208)                              = 0
lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/index.php", O_RDONLY) = 208
fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
fcntl(208, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
lseek(208, 0, SEEK_CUR)                 = 0
read(208, "<?php\n/**\n * Magento\n *\n * NOTIC"..., 4096) = 2614
lseek(208, 2614, SEEK_SET)              = 2614
fcntl(201, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=1, len=1}) = 0
munmap(0x7f5de0795000, 2614)            = 0
lseek(208, -2614, SEEK_CUR)             = 0
close(208)                              = 0
munmap(0x7f5de0794000, 4096)            = 0
getcwd("/home/indian05/public_html", 4096) = 27
lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
access("/home/indian05/public_html/includes/config.php", F_OK) = 0
lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/includes/config.php", O_RDONLY) = 208
fstat(208, {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
mmap(NULL, 1114, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
munmap(0x7f5de0795000, 1114)            = 0
close(208)                              = 0

Here's a sample of one of the CSF CPU usage warning. Figured someone was hammering indian05.
Backup was not running at the time, so all other processes were at 0% or pretty low.

Code:
  indian05 24790  4.9  6.1 515288 129028 ?       Rl   00:15   0:40  \_ /usr/local/apache/bin/httpd -k start
 indian05 24791  2.8  5.4 504048 114964 ?       Rl   00:15   0:23  \_ /usr/local/apache/bin/httpd -k start
 indian05 24831  4.9  5.6 505088 118060 ?       Rl   00:15   0:40  \_ /usr/local/apache/bin/httpd -k start
 nobody   24850  2.4  4.3 494588 90640 ?        Sl   00:16   0:19  \_ /usr/local/apache/bin/httpd -k start
 indian05 25011  3.6  5.5 503016 115660 ?       Rl   00:17   0:26  \_ /usr/local/apache/bin/httpd -k start
 indian05 25695  6.1  5.4 503016 113632 ?       Rl   00:21   0:30  \_ /usr/local/apache/bin/httpd -k start
 indian05 25705  7.0  5.4 503504 114380 ?       Rl   00:21   0:35  \_ /usr/local/apache/bin/httpd -k start
 nobody   25706  4.1  4.3 494644 90932 ?        Sl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
 indian05 25708  5.0  5.4 503004 113700 ?       Rl   00:21   0:25  \_ /usr/local/apache/bin/httpd -k start
 indian05 25710  4.5  5.4 504036 114876 ?       Rl   00:21   0:22  \_ /usr/local/apache/bin/httpd -k start
 indian05 25711  3.1  5.5 505288 116524 ?       Rl   00:21   0:15  \_ /usr/local/apache/bin/httpd -k start
 nobody   25733  4.3  4.3 494644 90928 ?        Sl   00:21   0:21  \_ /usr/local/apache/bin/httpd -k start
 nobody   25734  4.3  4.3 494644 91124 ?        Sl   00:21   0:21  \_ /usr/local/apache/bin/httpd -k start
 indian05 25737  5.3  5.4 504296 114168 ?       Rl   00:21   0:26  \_ /usr/local/apache/bin/httpd -k start
 indian05 25747  3.9  5.6 507104 119004 ?       Rl   00:21   0:19  \_ /usr/local/apache/bin/httpd -k start
 indian05 25749  4.1  5.4 503796 114412 ?       Rl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
 indian05 25783  5.4  5.4 504312 114280 ?       Sl   00:21   0:26  \_ /usr/local/apache/bin/httpd -k start
 indian05 25788  2.8  4.9 495156 104856 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
 nobody   25790  4.2  4.3 494644 90804 ?        Sl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
 indian05 25813  4.6  4.3 494644 92116 ?        Rl   00:21   0:22  \_ /usr/local/apache/bin/httpd -k start
 nobody   25817  4.9  4.3 494644 90804 ?        Sl   00:21   0:23  \_ /usr/local/apache/bin/httpd -k start
 indian05 25818  3.0  5.4 503424 114268 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
 nobody   25844  5.1  4.3 494644 90832 ?        Sl   00:21   0:24  \_ /usr/local/apache/bin/httpd -k start
 indian05 26080  6.5  5.4 503048 113688 ?       Rl   00:21   0:29  \_ /usr/local/apache/bin/httpd -k start
 indian05 26083  3.2  5.2 495132 109216 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
 indian05 26141  2.5  4.4 495040 93512 ?        Rl   00:22   0:11  \_ /usr/local/apache/bin/httpd -k start
 indian05 26442  6.0  5.4 504280 114316 ?       Rl   00:23   0:19  \_ /usr/local/apache/bin/httpd -k start
 indian05 26667  6.7  5.4 504316 114516 ?       Rl   00:24   0:17  \_ /usr/local/apache/bin/httpd -k start
 indian05 26737  3.6  5.4 503264 114140 ?       Rl   00:25   0:09  \_ /usr/local/apache/bin/httpd -k start
 indian05 26750  3.6  5.4 503264 113664 ?       Rl   00:25   0:09  \_ /usr/local/apache/bin/httpd -k start
 indian05 26751  6.5  5.4 504072 114708 ?       Rl   00:25   0:16  \_ /usr/local/apache/bin/httpd -k start
 nobody   26753  4.5  4.3 494644 90832 ?        Sl   00:25   0:11  \_ /usr/local/apache/bin/httpd -k start
 indian05 27750  4.1  4.4 495160 94056 ?        Rl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
 indian05 27752  4.1  4.4 495156 94068 ?        Rl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
 indian05 27753  3.9  4.4 495156 93676 ?        Sl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
 nobody   27809  2.5  4.3 494644 90800 ?        Sl   00:27   0:02  \_ /usr/local/apache/bin/httpd -k start
 nobody   28004  0.0  3.4 484912 71368 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
 nobody   28013  0.0  3.4 484912 71372 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
 nobody   28018  0.0  3.4 484912 71368 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
Hey, Michael.
I hadn't read about that sar utility, so I thank you for the link and will add do some digging into last night's activity with it.

The CPU load isn't my real concern, but what httpd with nobody as owner is doing in that first post.
Is that legitimate behaviour?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
It's normal for Apache to run as the "nobody" user. The trace output you provided does not suggest anything that's necessarily malicious. It's showing you which files are processed. You may need to review the user in question, or consider suspending the account to see if usage drops to normal.

Thank you.
 
  • Like
Reactions: RWH Tech