Need help in tracing httpd processes by nobody

DeepXP

Well-Known Member
Feb 20, 2005
67
0
156
Internet
cPanel Access Level
Root Administrator
For past one week, 3-4 random nobody owned processes use 200-300% CPU usage each.

I tried to trace it with the help of server support guys but looks like we are looking in the wrong direction.

I thought, it might help me to trace the issues by getting views of cPanel forum members.

Here are the details of server:

CentOS 6.6
Apache 2.4.12
PHP 5.5.23

Using suPHP and MPM Event, have enabled OPCache in php.ini too.

We managed to trace the site but not able to locate the exact file. lsof for that process ID reveals requests to few IPs but no file name. We cannot suspend the site as it's huge and cannot afford to lose the client.

No improvement in traffic since past one week.

Any kind of pointers would really help us.
 

DeepXP

Well-Known Member
Feb 20, 2005
67
0
156
Internet
cPanel Access Level
Root Administrator
Ok, after digging deeper and tracing it manually via disabling multiple files, I fixed it. The issue was due to one of the faulty rewrite rules.

This was the rule:

RewriteCond %{HTTP_REFERER} ^([^.]+.)*?example\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^([^.]+.)*?example1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^([^.]+.)*?example3\.com [NC,OR]
RewriteRule .* – [F]
## STOP REFERRER SPAM ##

Around 20 more such sites in the same pattern as above.