The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

overly active process

Discussion in 'General Discussion' started by prankstr25, Sep 7, 2005.

  1. prankstr25

    prankstr25 Member

    Joined:
    Jun 27, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I keep getting alerts from my server, where Process Resourse Monitor from rfxnetworks is running, Below is a copy:
    This is an automated status warning from xeon1 The
    process (9969) has exceeded defined resource limits, as such a kill
    signal was invoked from the process resource monitor.

    - Event Summary:
    USER: nobody
    PID : 9969
    CMD : [65500]
    CPU%: 0 (limit: 40)
    MEM%: 0 (limit: 20)
    PROCS: 95 (limit: 25)

    but I can not figure out what this process 9969 is..I have also today recieved a phishing alert, and the emails are originating from my server, but the domain that's in the header is not hosted there..Possible relation? I have no other signs that my server has been compromised in any way..Any thoughts on how to solve this?
     
    #1 prankstr25, Sep 7, 2005
    Last edited: Sep 7, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Since it's the nobody user it's most likely httpd and therefore a PHP script looping. It could be an innocent programming mistake or it could be evidence of exploits running on your server through compromised php scripts.
     
  3. prankstr25

    prankstr25 Member

    Joined:
    Jun 27, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    any clues on how to troubleshoot this issue would be appreciated. Like I said, I do not see evidence of rooting or comprising on the server (rkhunter was also run, and looks all good). I beleive it is a PHP script, one that also sends SPAM from my server..Any clues on how to find out more precisely would be appreciated.
     
  4. bone

    bone Member

    Joined:
    Nov 2, 2001
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Use lsoff and find out what directory it is running from (that should at least get you a starting point). The file or where its writing to/running from might give you evidence of who created it and who to suspend :D

    jt
     
Loading...

Share This Page