The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High CPU load overnight and funny strace today.

Discussion in 'Security' started by RWH Tech, Feb 18, 2016.

  1. RWH Tech

    RWH Tech Well-Known Member

    Joined:
    Oct 1, 2015
    Messages:
    74
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    WHM 54.0 (build 15)- mod_ruid2, PHP-FPM for cpanel enabled.

    I've gotten high cpu warnings from CSF last night. Saw them this morning and figured people were attacking the server somehow. Processes belonged to nobody and named accounts.

    This morning I went into the Process manager and ran a trace on httpd owned by nobody. This is what I found.

    It looks like it's scanning an account and I've seen it do it to a different account.

    The beef is that I've never ran a trace before and don't know if this is normal.
    Looks suspicious as hell, to me, but I figured I'd post here and ask you guys.
    What do you think about the strace below? Done on a httpd process belonging to nobody and taking up 4% CPU in process manager.


    Code:
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", O_RDONLY) = 209
    fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    mmap(NULL, 1229, PROT_READ, MAP_SHARED, 209, 0) = 0x7f5de0795000
    fcntl(209, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
    fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
    lseek(209, 0, SEEK_CUR)                 = 0
    read(209, "<?php\n/**\n * @copyright  Copyrig"..., 4096) = 1229
    lseek(209, 1229, SEEK_SET)              = 1229
    munmap(0x7f5de0795000, 1229)            = 0
    lseek(209, -1229, SEEK_CUR)             = 0
    close(209)                              = 0
    munmap(0x7f5de0794000, 4096)            = 0
    
     
    #1 RWH Tech, Feb 18, 2016
    Last edited by a moderator: Feb 18, 2016
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,
    I think it need more logs for trouble shooting this issue. You said you got the load on night. How is your backup configuration ? Do you have any type of heavy traffic on that time ?
     
  3. RWH Tech

    RWH Tech Well-Known Member

    Joined:
    Oct 1, 2015
    Messages:
    74
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Process manager currently reports 4 httpd processes, owned by nobody, consuming 6%, 3% and two with 1%

    So, is it normal for httpd nobody be reading /home/blahblah? I'm wondering if I'm chasing ghosts.
    Trace on the process with 6% shows it hitting the magento install, again.

    Code:
    Process 19763 attached
    restart_syscall(<... resuming interrupted call ...>) = 0
    writev(207, [{"\27\3\3\0)\236]*\375\307\357LUu\250.U)\235\343\na\376j\372\206\362BL)\252\353"..., 46}], 1) = 46
    writev(207, [{"\25\3\3\0\32\236]*\375\307\357LVb^\5]\211\206\311C5c \237q\227\32\227*y", 31}], 1) = 31
    shutdown(207, SHUT_WR)                  = 0
    poll([{fd=207, events=POLLIN}], 1, 2000) = 0 (Timeout)
    close(207)                              = 0
    read(10, 0x7ffeb529bf4b, 1)             = -1 EAGAIN (Resource temporarily unavailable)
    semop(9830410, {{0, -1, SEM_UNDO}}, 1)  = 0
    epoll_wait(205, {}, 4, 10000)           = 0
    epoll_wait(205, {{EPOLLIN, {u32=87201208, u64=87201208}}}, 4, 10000) = 1
    accept4(6, {sa_family=AF_INET, sin_port=htons(16616), sin_addr=inet_addr("77.75.76.167")}, [16], SOCK_CLOEXEC) = 207
    semop(9830410, {{0, 1, SEM_UNDO}}, 1)   = 0
    getsockname(207, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("198.46.237.187")}, [16]) = 0
    fcntl(207, F_GETFL)                     = 0x2 (flags O_RDWR)
    fcntl(207, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
    read(207, "GET /robots.txt HTTP/1.1\r\nHost: "..., 8000) = 228
    open("/dev/urandom", O_RDONLY)          = 208
    read(208, "\350\305\344\5\301s\344\213\237\342\302V\316\230zW\217\25\2742\205\24\272(\4G\317.\276\321\375\222"..., 64) = 64
    close(208)                              = 0
    open("/dev/urandom", O_RDONLY)          = 208
    read(208, "P*v\f\363\16\274^\250\243\351 \303\324\373\35\335\312\270\240\332#\264\364\375\23x9\216`x\23"..., 64) = 64
    close(208)                              = 0
    open("/var/cpanel/secdatadir/global.dir", O_RDONLY|O_CLOEXEC) = 208
    open("/var/cpanel/secdatadir/global.pag", O_RDONLY|O_CLOEXEC) = 209
    fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
    fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
    lseek(209, 0, SEEK_SET)                 = 0
    read(209, "", 1024)                     = 0
    fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
    close(208)                              = 0
    close(209)                              = 0
    open("/var/cpanel/secdatadir/ip.dir", O_RDONLY|O_CLOEXEC) = 208
    open("/var/cpanel/secdatadir/ip.pag", O_RDONLY|O_CLOEXEC) = 209
    fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0
    fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0
    fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0
    lseek(208, 0, SEEK_SET)                 = 0
    read(208, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\373\371\377\377\377\367\377\377\177"..., 4096) = 4096
    lseek(209, 31744, SEEK_SET)             = 31744
    read(209, "\0\0\312\3\247\2w\2T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024
    fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
    close(208)                              = 0
    close(209)                              = 0
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
    capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setgroups(0, [])                        = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setgid(1019)                            = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setuid(1019)                            = 0
    prctl(PR_SET_DUMPABLE, 1)               = 0
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
    capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
    stat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory)
    open("/.htaccess", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/indian05/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    open("/home/indian05/public_html/.htaccess", O_RDONLY|O_CLOEXEC) = 208
    fstat(208, {st_mode=S_IFREG|0755, st_size=6551, ...}) = 0
    read(208, "#RewriteEngine On \n#RewriteCond "..., 4096) = 4096
    read(208, "irectoryhere/.*$\n    #RewriteCon"..., 4096) = 2455
    read(208, "", 4096)                     = 0
    close(208)                              = 0
    lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory)
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
    capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setgroups(0, [])                        = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setgid(1019)                            = 0
    tgkill(19763, 19764, SIGRT_1)           = 0
    setuid(1019)                            = 0
    prctl(PR_SET_DUMPABLE, 1)               = 0
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
    capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0
    capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0
    open("/dev/urandom", O_RDONLY)          = 208
    read(208, "^3,\231\346\336\263\355$\247\25\360\17\226Jb]N\374\370\335\303\370sy<\250\35\356\245\275\217"..., 64) = 64
    close(208)                              = 0
    open("/dev/urandom", O_RDONLY)          = 208
    read(208, "\315\220\266\206\256g\233;\334\337\230\332&\372\207Z\340\2409\tb\213\275C\373\225:4\375l%\222"..., 64) = 64
    close(208)                              = 0
    stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
    stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
    lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory)
    access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory)
    stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory)
    setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
    setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0
    setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
    rt_sigaction(SIGPROF, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
    getcwd("/", 4095)                       = 2
    chdir("/home/indian05/public_html")     = 0
    setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0
    lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/indian05/public_html/index.php", O_RDONLY) = 208
    fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
    munmap(0x7f5de0795000, 2614)            = 0
    close(208)                              = 0
    lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/indian05/public_html/index.php", O_RDONLY) = 208
    fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
    fcntl(208, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
    fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
    lseek(208, 0, SEEK_CUR)                 = 0
    read(208, "<?php\n/**\n * Magento\n *\n * NOTIC"..., 4096) = 2614
    lseek(208, 2614, SEEK_SET)              = 2614
    fcntl(201, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=1, len=1}) = 0
    munmap(0x7f5de0795000, 2614)            = 0
    lseek(208, -2614, SEEK_CUR)             = 0
    close(208)                              = 0
    munmap(0x7f5de0794000, 4096)            = 0
    getcwd("/home/indian05/public_html", 4096) = 27
    lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
    lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
    lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    access("/home/indian05/public_html/includes/config.php", F_OK) = 0
    lstat("/home/indian05/public_html/includes/config.php", {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
    lstat("/home/indian05/public_html/includes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
    lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
    lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
    open("/home/indian05/public_html/includes/config.php", O_RDONLY) = 208
    fstat(208, {st_mode=S_IFREG|0600, st_size=1114, ...}) = 0
    mmap(NULL, 1114, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000
    munmap(0x7f5de0795000, 1114)            = 0
    close(208)                              = 0
    

    Here's a sample of one of the CSF CPU usage warning. Figured someone was hammering indian05.
    Backup was not running at the time, so all other processes were at 0% or pretty low.

    Code:
    
      indian05 24790  4.9  6.1 515288 129028 ?       Rl   00:15   0:40  \_ /usr/local/apache/bin/httpd -k start
     indian05 24791  2.8  5.4 504048 114964 ?       Rl   00:15   0:23  \_ /usr/local/apache/bin/httpd -k start
     indian05 24831  4.9  5.6 505088 118060 ?       Rl   00:15   0:40  \_ /usr/local/apache/bin/httpd -k start
     nobody   24850  2.4  4.3 494588 90640 ?        Sl   00:16   0:19  \_ /usr/local/apache/bin/httpd -k start
     indian05 25011  3.6  5.5 503016 115660 ?       Rl   00:17   0:26  \_ /usr/local/apache/bin/httpd -k start
     indian05 25695  6.1  5.4 503016 113632 ?       Rl   00:21   0:30  \_ /usr/local/apache/bin/httpd -k start
     indian05 25705  7.0  5.4 503504 114380 ?       Rl   00:21   0:35  \_ /usr/local/apache/bin/httpd -k start
     nobody   25706  4.1  4.3 494644 90932 ?        Sl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
     indian05 25708  5.0  5.4 503004 113700 ?       Rl   00:21   0:25  \_ /usr/local/apache/bin/httpd -k start
     indian05 25710  4.5  5.4 504036 114876 ?       Rl   00:21   0:22  \_ /usr/local/apache/bin/httpd -k start
     indian05 25711  3.1  5.5 505288 116524 ?       Rl   00:21   0:15  \_ /usr/local/apache/bin/httpd -k start
     nobody   25733  4.3  4.3 494644 90928 ?        Sl   00:21   0:21  \_ /usr/local/apache/bin/httpd -k start
     nobody   25734  4.3  4.3 494644 91124 ?        Sl   00:21   0:21  \_ /usr/local/apache/bin/httpd -k start
     indian05 25737  5.3  5.4 504296 114168 ?       Rl   00:21   0:26  \_ /usr/local/apache/bin/httpd -k start
     indian05 25747  3.9  5.6 507104 119004 ?       Rl   00:21   0:19  \_ /usr/local/apache/bin/httpd -k start
     indian05 25749  4.1  5.4 503796 114412 ?       Rl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
     indian05 25783  5.4  5.4 504312 114280 ?       Sl   00:21   0:26  \_ /usr/local/apache/bin/httpd -k start
     indian05 25788  2.8  4.9 495156 104856 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
     nobody   25790  4.2  4.3 494644 90804 ?        Sl   00:21   0:20  \_ /usr/local/apache/bin/httpd -k start
     indian05 25813  4.6  4.3 494644 92116 ?        Rl   00:21   0:22  \_ /usr/local/apache/bin/httpd -k start
     nobody   25817  4.9  4.3 494644 90804 ?        Sl   00:21   0:23  \_ /usr/local/apache/bin/httpd -k start
     indian05 25818  3.0  5.4 503424 114268 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
     nobody   25844  5.1  4.3 494644 90832 ?        Sl   00:21   0:24  \_ /usr/local/apache/bin/httpd -k start
     indian05 26080  6.5  5.4 503048 113688 ?       Rl   00:21   0:29  \_ /usr/local/apache/bin/httpd -k start
     indian05 26083  3.2  5.2 495132 109216 ?       Rl   00:21   0:14  \_ /usr/local/apache/bin/httpd -k start
     indian05 26141  2.5  4.4 495040 93512 ?        Rl   00:22   0:11  \_ /usr/local/apache/bin/httpd -k start
     indian05 26442  6.0  5.4 504280 114316 ?       Rl   00:23   0:19  \_ /usr/local/apache/bin/httpd -k start
     indian05 26667  6.7  5.4 504316 114516 ?       Rl   00:24   0:17  \_ /usr/local/apache/bin/httpd -k start
     indian05 26737  3.6  5.4 503264 114140 ?       Rl   00:25   0:09  \_ /usr/local/apache/bin/httpd -k start
     indian05 26750  3.6  5.4 503264 113664 ?       Rl   00:25   0:09  \_ /usr/local/apache/bin/httpd -k start
     indian05 26751  6.5  5.4 504072 114708 ?       Rl   00:25   0:16  \_ /usr/local/apache/bin/httpd -k start
     nobody   26753  4.5  4.3 494644 90832 ?        Sl   00:25   0:11  \_ /usr/local/apache/bin/httpd -k start
     indian05 27750  4.1  4.4 495160 94056 ?        Rl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
     indian05 27752  4.1  4.4 495156 94068 ?        Rl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
     indian05 27753  3.9  4.4 495156 93676 ?        Sl   00:27   0:04  \_ /usr/local/apache/bin/httpd -k start
     nobody   27809  2.5  4.3 494644 90800 ?        Sl   00:27   0:02  \_ /usr/local/apache/bin/httpd -k start
     nobody   28004  0.0  3.4 484912 71368 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
     nobody   28013  0.0  3.4 484912 71372 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
     nobody   28018  0.0  3.4 484912 71368 ?        Sl   00:29   0:00  \_ /usr/local/apache/bin/httpd -k start
    
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. RWH Tech

    RWH Tech Well-Known Member

    Joined:
    Oct 1, 2015
    Messages:
    74
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hey, Michael.
    I hadn't read about that sar utility, so I thank you for the link and will add do some digging into last night's activity with it.

    The CPU load isn't my real concern, but what httpd with nobody as owner is doing in that first post.
    Is that legitimate behaviour?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's normal for Apache to run as the "nobody" user. The trace output you provided does not suggest anything that's necessarily malicious. It's showing you which files are processed. You may need to review the user in question, or consider suspending the account to see if usage drops to normal.

    Thank you.
     
    RWH Tech likes this.
  7. RWH Tech

    RWH Tech Well-Known Member

    Joined:
    Oct 1, 2015
    Messages:
    74
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Thanks, mister. I will dig further into the CPU usage/etc as time permits.
     
Loading...

Share This Page