The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High CPU load

Discussion in 'General Discussion' started by hedehudu, Apr 8, 2006.

  1. hedehudu

    hedehudu Registered

    Joined:
    Apr 7, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    " cpsrvd failed @ Sat Apr 8 06:58:23 2006. A restart was attempted automagicly."

    This message is sent from server to me. And after the message server freezes until I restart httpd. CPU load is very high(10-15) but server has 10 web sites and 3 sites active. These sites have page view about 30.000/day and no attack to server Because I purchase it 5 days ago :). This is anormal :) these images are showing server load.

    [​IMG]


    [​IMG]


    Are these normal for AMD2600 , 512 RAM , centOS operating system... ?



    If I stop cPanel/Whm and I start xampp ( apache, mysql, proftp package ) everything working normal. There is not high load and CPU usage.
     
  2. hedehudu

    hedehudu Registered

    Joined:
    Apr 7, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LIST EN 11902/stunnel-4.04l
    tcp 0 0 0.0.0.0:1 0.0.0.0:* LIST EN 2317/portsentry
    tcp 0 0 0.0.0.0:2082 0.0.0.0:* LIST EN 13918/cpsrvd - wait
    tcp 0 0 0.0.0.0:2083 0.0.0.0:* LIST EN 11902/stunnel-4.04l
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LIST EN 11902/stunnel-4.04l
    tcp 0 0 0.0.0.0:2084 0.0.0.0:* LIST EN 11860/entropychat
    tcp 0 0 0.0.0.0:2086 0.0.0.0:* LIST EN 13918/cpsrvd - wait
    tcp 0 0 0.0.0.0:2087 0.0.0.0:* LIST EN 11902/stunnel-4.04l
    tcp 0 0 0.0.0.0:6666 0.0.0.0:* LIST EN 11864/startmelange
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LIST EN 11791/mysqld
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LIST EN 11855/cppop - accep
    tcp 0 0 0.0.0.0:2095 0.0.0.0:* LIST EN 13918/cpsrvd - wait
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 2317/portsentry
    tcp 0 0 127.0.0.1:783 0.0.0.0:* LIST EN 1874/spamd.pid --ma
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LIST EN 1711/xinetd
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LIST EN 12071/httpd
    tcp 0 0 72.36.191.93:80 85.98.1.219:4022 SYN_ RECV -
    tcp 0 0 0.0.0.0:2096 0.0.0.0:* LIST EN 11902/stunnel-4.04l
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LIST EN 1813/exim
    tcp 0 0 72.36.191.94:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 72.36.191.93:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 72.36.191.92:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 72.36.191.91:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 72.36.191.90:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LIST EN 1639/proftpd: (acce
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST EN 12213/named
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LIST EN 1809/exim
    tcp 0 0 0.0.0.0:26 0.0.0.0:* LIST EN 11998/exim
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12071/httpd
    tcp 0 0 72.36.191.93:80 85.102.101.43:2222 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.102.48.65:4433 ESTABLISHED 13928/httpd
    tcp 0 0 72.36.191.93:80 85.104.186.155:2673 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.105.75.50:1428 ESTABLISHED 13940/httpd
    tcp 0 0 72.36.191.93:80 85.104.186.155:2674 TIME_WAIT -
    tcp 0 3047 72.36.191.93:80 85.102.48.65:4434 ESTABLISHED 13929/httpd
    tcp 0 0 72.36.191.93:80 85.97.152.140:50383 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.104.186.155:2676 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.97.174.170:4633 ESTABLISHED 13934/httpd
    tcp 0 0 72.36.191.93:80 85.104.186.155:2678 ESTABLISHED 13912/httpd
    tcp 0 0 72.36.191.93:80 85.104.186.155:2679 TIME_WAIT -
    tcp 0 0 72.36.191.93:38954 72.36.191.93:80 TIME_WAIT -
    tcp 0 0 72.36.191.93:38950 72.36.191.93:80 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.102.101.43:2276 FIN_WAIT2 -
    tcp 0 0 72.36.191.93:80 85.103.135.224:50740 ESTABLISHED 13910/httpd
    tcp 0 0 72.36.191.93:80 217.84.152.214:61558 ESTABLISHED 13927/httpd
    tcp 0 0 72.36.191.93:80 81.215.126.101:13279 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.99.70.137:3779 FIN_WAIT2 -
    tcp 0 0 72.36.191.93:80 85.100.207.144:4692 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.99.175.81:3263 ESTABLISHED 13943/httpd
    tcp 0 0 72.36.191.93:80 72.36.191.93:38951 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.98.170.109:1867 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.107.66.253:1284 ESTABLISHED 13931/httpd
    tcp 0 0 72.36.191.93:80 72.36.191.93:38955 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.102.238.12:50350 TIME_WAIT -
    tcp 0 0 72.36.191.93:80 85.81.112.63:13237 ESTABLISHED 13930/httpd
    tcp 0 0 72.36.191.93:80 88.233.50.111:2245 ESTABLISHED 13947/httpd
    tcp 0 0 72.36.191.93:80 85.106.173.240:1648 FIN_WAIT2 -
    tcp 0 0 :::22 :::* LISTEN 1688/sshd
    tcp 0 0 ::ffff:72.36.191.90:22 ::ffff:195.175.33.146:11491 ESTABLISHED 401/1
    tcp 0 4632 ::ffff:72.36.191.90:22 ::ffff:195.175.33.146:20010 ESTABLISHED 10801/0



    13 connnections is not much..
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I wouldn't suggest blocking any IPs, esepcially using IPtables command, unless you know that this individual is comfortable with his/her Linux administration abilities. He/she might do more damage to their network than repair to the actual high CPU load.

    hedehudu, what is the "normal" cpu load for your server? Is your server secured? If yes, what did you do to secure your server?
     
  4. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Yes, it doesnt seems to be a httpd connection problem. There is no attack on port 80. I would also suggest you to check the Mysql connections to your server with :-
    mysqladmin processlist

    Also reply 'AndyReed's questions as things will get lot more clear.
     
  5. hedehudu

    hedehudu Registered

    Joined:
    Apr 7, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    This is mysql process list

    +------+-----------+-----------+----------------+----------------+------+--------------------+------------------+
    | Id | User | Host | db | Command | Time | State | Info |
    +------+-----------+-----------+----------------+----------------+------+--------------------+------------------+
    | 2 | eximstats | localhost | eximstats | Sleep | 1776 | | |
    | 437 | DELAYED | | kardeniz_nuke1 | Delayed_insert | 28 | Waiting for INSERT | |
    | 1127 | eximstats | localhost | eximstats | Sleep | 3143 | | |
    | 1893 | root | localhost | | Query | 0 | | show processlist |
    +------+-----------+-----------+----------------+----------------+------+--------------------+------------------+

    Server is not secured by any firewall or something. But I don't think this is a attack. Because I purchased it 5 days ago. And my last server hasn't problem like this.

    I think normal is "cpanel doesn't send any e-mail to me"
     
  6. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    It seems there is lot of httpd connections. Execute the below command and figure out the ips having too many connections to port 80.
    netstat -alntp

    If you wish you can block those IPs using iptables or APF firewall.

    You can also paste the output of the above command if you wish.
     
    #6 madaboutlinux, Apr 8, 2006
    Last edited: Apr 8, 2006
  7. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    based on the memory usage listed in top another 512 meg or more of ram would probably help as much as anything

    From what I have found with real world experience is a cpanel server using RHEL/CentOS works the best with 2gig or more ram.

    Our ram usage on moderate usage servers,high percentage of page views php/mysql we average 1.2 - 1.5 gig ram in use or cached and rest listed free.

    Only time our loads go above 1 is during NFS mounted cpanel backups.

    The high cpu usage for apache could be caused by either faulty scripting,not enuf ram,or an attack of some form or all of the above. However with swap being heavly used all processes will appear with high cpu usage and time active will appear excessive also
     
  8. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil


    Installl PRM and kill process :D

    Into folder RULES, configure HTTPD to MAXCPU=5 and put in cron to 1 minute check

    # Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported)
    MAXCPU="5"



    http://r-fx.org/prm.php
     
  9. yufool

    yufool Active Member

    Joined:
    Jan 24, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    try preventing 'nobody' from sending e-mails

    Something sounds fishy - those loads definitely aren't normal.

    Your server is possibly experiencing e-mail attacks if it has continuously high load from user 'nobody'. Possibly one of your PHP/CGI mail scripts is being exploited. Your data center wont be happy if they find spam e-mail originating from your server.

    in WHM, go to Server Configuation -> Tweak Settings and try checking the option to prevent nobody from sending messages.

    If this helps, then go and try to remove the exploited scripts as you find them, employ the proper permissions. You may want to have that user change their password as well.

    I highly recommend PRM as mentioned above (process resource monitor) from Rf-x networks. http://www.rfxnetworks.com. It continually monitors your resource usage and kills processes that exceed your limits and sends you an e-mail.

    If PRM keeps killing a certain process, you'll have a better idea of where the problem is coming from.

    ----

    You also will want to get APF firewall running on your box ASAP. Because it's not a matter of "IF" someone tries to attack you. It's a matter of "WHEN."

    Let me know if this helps!
     
    #9 yufool, Apr 12, 2006
    Last edited: Apr 12, 2006
  10. Leonardo Gomes

    Joined:
    Jun 10, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    i am this problem and solutions....

    in shell

    $ mkdir /root/scripts
    $ cd /root/scripts
    $ pico nobody

    paste

    kill -9 `ps aux | grep ^nobody | tr -s " " | cut -d" " -f2`
    echo "`date` - Processos nobody finalizados";

    ctrl+x and y to save

    $ chmod 0755 /root/scripts/nobody

    after run

    $ /root/scripts/nobody

    its kill all process onnobody and free +- 50% memory useage

    i am set this script in cron.

    $ crontab -e

    add this line

    */15 * * * * /root/scripts/nobody >> /root/scripts/nobody.log

    ;-)
     
    #10 Leonardo Gomes, Apr 25, 2006
    Last edited: Apr 25, 2006
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This is dangerous, don't do it if you like your server. I think in this case you am the problem! :rolleyes:

    In particular, it kills off all your nobody processes - probably httpd, every 15 minutes. That should shut down your web server every 15 minutes. Look for other solutions.
     
  12. trhosting.net

    trhosting.net Well-Known Member

    Joined:
    Mar 7, 2006
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Turkey
    If you are using the latest centos kernel, it is causing some load problems on some systems.

    You can try to downgrade to 2.6.5 or you can download and compile your own kernel.
     
Loading...

Share This Page