The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Perl ("nobody") keeps taking up 99% CPU

Discussion in 'General Discussion' started by SeanLee, Mar 31, 2005.

  1. SeanLee

    SeanLee Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I was wondering if anyone has insight as to what may be causing user "nobody" to take up 99% CPU process using perl, over and over again. No matter how many times I kill it, or even reboot the server, it will just come right back within a couple days - then I get the "cpustats" email warning message again. I've done an upgrade of the server software & scripts, and also tried re-compiling apache. Nothing seems to work. Any & all comments appreciated. Here are my stats:

    system info:
    PIV 2.0GHz, 512MB Ram, IDE drives, 3 users & 8 "low traffic" domains.

    uname -a:
    Linux foo.com 2.4.20-31.9 #1 Tue Apr 13 18:04:23 EDT 2004 i686 i686 i386 GNU/Linux

    Top says:
    7649 nobody 25 0 2260 2260 684 R 98.8 0.4 1559m 0 perl

    PHP, Perl & kernel info:
    php-4.2.2-17
    perl-5.8.0-88
    kernel-pcmcia-cs-3.1.31-13
    kernel-2.4.20-8
    kernel-2.4.20-31.9

    ps -auxww |grep nobody:
    nobody 2394 0.0 0.0 4244 260 ? S Mar29 0:00 proftpd: (accepting connections)
    nobody 2549 0.0 0.9 15716 5120 ? S Mar29 0:06 /usr/local/apache/bin/httpd -DSSL
    nobody 2550 0.0 0.9 15680 5076 ? S Mar29 0:03 /usr/local/apache/bin/httpd -DSSL
    nobody 2551 0.0 1.6 16408 8368 ? S Mar29 0:45 /usr/local/apache/bin/httpd -DSSL
    nobody 2552 0.0 1.5 15808 7804 ? S Mar29 0:41 /usr/local/apache/bin/httpd -DSSL
    nobody 2553 0.0 1.3 15860 6888 ? S Mar29 0:55 /usr/local/apache/bin/httpd -DSSL
    nobody 2802 0.0 1.3 15340 6764 ? S Mar29 0:39 /usr/local/apache/bin/httpd -DSSL
    nobody 2823 0.0 0.0 3348 4 ? S Mar29 0:00 entropychat
    nobody 2828 0.0 0.0 1600 4 ? S Mar29 0:00 /usr/local/cpanel/bin/startmelange
    nobody 3019 0.0 1.2 15760 6404 ? S Mar29 0:32 /usr/local/apache/bin/httpd -DSSL
    nobody 3020 0.0 1.5 15708 7996 ? S Mar29 0:52 /usr/local/apache/bin/httpd -DSSL
    nobody 3021 0.0 1.4 15780 7604 ? S Mar29 0:37 /usr/local/apache/bin/httpd -DSSL
    nobody 3044 0.0 1.2 15288 6268 ? S Mar29 0:32 /usr/local/apache/bin/httpd -DSSL
    nobody 7643 0.0 0.0 0 0 ? Z Mar30 0:00 [sh <defunct>]
    nobody 7649 87.4 0.4 7212 2260 ? R Mar30 1560:57 /usr/sbin/httpd
    nobody 8923 0.0 1.4 15064 7308 ? S Mar30 0:20 /usr/local/apache/bin/httpd -DSSL
    nobody 8925 0.0 1.4 16244 7212 ? S Mar30 0:48 /usr/local/apache/bin/httpd -DSSL
    nobody 23083 0.0 0.0 0 0 ? Z 03:32 0:00 [sh <defunct>]
    nobody 23087 0.4 0.3 6908 1948 ? S 03:32 1:23 /usr/sbin/httpd
    nobody 23088 0.4 0.5 7816 2576 ? S 03:32 1:23 /usr/sbin/httpd
    nobody 26631 0.0 0.3 4464 1600 ? SL 09:16 0:00 proftpd: connected: 127.0.0.1 (127.0.0.1:58676)
    root 26644 0.0 0.1 4448 632 pts/1 S 09:17 0:00 grep nobody
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Two things:

    1. You should really enable SUEXEC if it isn't already in WHM

    2. If it is, it's could easily be an exploited PHP script running a perl script for sending out spam

    3. To find out what it is doing, either hit the c button when in top to see the command, or do:

    ps axf | grep PID

    replacing PID with the pid of the process. Or have a look in:

    cat /proc/PID/*

    4. Make sure that if you have any phpBB installations that they are all on v2.0.13
     
  3. SeanLee

    SeanLee Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I've done this, and it says it's "/usr/sbin/httpd"
    Is this a valid cpanel bin???

    *edit*
    grrr... /usr/sbin/httpd is just a sym link to /usr/local/apache/bin/apachectl*

    Also, looks like most people are running phpbb 2.0.10 - how would I upgrade everyone's phpbb? Everyone is using the phpbb offerend in their cPanel home page.
     
    #3 SeanLee, Mar 31, 2005
    Last edited: Mar 31, 2005
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As I asked before, do you have SUEXEC enabled on the server? If not, you should do so.

    You can upgrade phpBB installations by making sure that you're on the RELEASE tree or better, then install the Addon Module "Addon Script Manager" and use that to force update all your phpBB installations.

    To find out what files a process is using you could do:

    lsof | grep PID

    From which you might be able to determine the cause.
     
  5. SeanLee

    SeanLee Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Yes, suexec has always been enabled.
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    5. Update your distro ( or kernel at the very very EXTREME least ).
     
  7. bjarne

    bjarne Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    I suggest start using safe_mode, aspecialy if some nobody processes pussels you, and you don't realy know what to do.

    Safe mode wich can be enabled in /usr/local/lib/php.ini will prevent dangerous things from beeing done bye php, like running shell commands and basicly tearing down your server.
    We have been trying to avoid safe_mode for a long time now, but better put it on, and enable it in httpd.conf for selected clients, then risking the work of replacing servers because of hacking.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    safe_mode is handy to slow people down. However, it won't stop them if they're determined enough since safe_mode is easily bypassed by calling an uploading perl script, which is what a great many of the php exploits do.
     
  9. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Is it REALLY necessary to allow user nobody to execute /usr/sbin/httpd ???

    This would stop that exploit altogether. I've been ifghting these attacks for over a year now. It's a real pain in the ass that a stupid perl script can execute a system daemon....

    isn't it?

    Chuck
     
  10. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    its running as "nobody" but isn't starting and stopping apache as "nobody". If suexec is enabled then the culprit is PHP which has to run as nobody (and incidentally requires much more insecure permissions to work)

    You'd be best off running PHP under phpSUExec so that PHP is not runnning as nobody but as the user and of course securing your tmp directory with /scripts/securetmp

    HTH :)
     
  11. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This is an exploit, I had the same thing running on one of my servers. Check your /tmp or /dev/shm directories for suspect files.
     
Loading...

Share This Page