The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with httpd process

Discussion in 'General Discussion' started by mohakevin, Oct 4, 2005.

  1. mohakevin

    mohakevin Well-Known Member

    Joined:
    Jan 19, 2005
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    We have this problem in some servers.

    There is a httpd process that seems blocked and it consumes a lot of CPU.

    #ps auxf:

    nobody 3412 90.5 0.0 22640 564 ? R Sep27 9036:56 \_ /usr/local/apache/bin/httpd -DSSL

    I don´t understand why it happens. Somebody can help us ?

    When i go to process directory, we can see:

    /proc/3412]# l
    total 0
    dr-xr-xr-x 3 nobody nobody 0 Oct 4 18:32 ./
    dr-xr-xr-x 258 root root 0 Sep 2 20:28 ../
    -r--r--r-- 1 root root 0 Oct 4 18:59 cmdline
    lrwxrwxrwx 1 root root 0 Oct 4 18:59 cwd -> /home/mundoele/public_html/
    -r-------- 1 root root 0 Oct 4 18:59 environ
    lrwxrwxrwx 1 root root 0 Oct 4 18:59 exe -> /usr/local/apache/bin/httpd*
    dr-x------ 2 root root 0 Oct 4 18:59 fd/
    -r-------- 1 root root 0 Oct 4 18:59 maps
    -rw------- 1 root root 0 Oct 4 18:59 mem
    -r--r--r-- 1 root root 0 Oct 4 18:59 mounts
    lrwxrwxrwx 1 root root 0 Oct 4 18:59 root -> //
    -r--r--r-- 1 root root 0 Oct 4 18:59 stat
    -r--r--r-- 1 root root 0 Oct 4 18:59 statm
    -r--r--r-- 1 root root 0 Oct 4 18:59 status


    The user mundoele it´s related ?

    Thanks in advance.
     
  2. mohakevin

    mohakevin Well-Known Member

    Joined:
    Jan 19, 2005
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Nobody ?

    Regards
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Could be an exploit, try running:

    lsof -p PID

    Where PID is the pid of the process in question. Carefully look through the open files and you should be able to see what script is being run.
     
  4. mohakevin

    mohakevin Well-Known Member

    Joined:
    Jan 19, 2005
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    There are a lot of files open ! :

    lsof -p 9891 | wc -l
    1163


    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    httpd 9891 nobody cwd DIR 8,1 4096 1819883 /home/oristel/public_html/quefuerte
    httpd 9891 nobody rtd DIR 8,1 4096 2 /
    httpd 9891 nobody txt REG 8,1 657866 2949709 /usr/local/apache/bin/httpd
    httpd 9891 nobody mem DEL 0,4 32768 /SYSV00000000
    httpd 9891 nobody mem REG 8,1 32148976 2981892 /usr/lib/locale/locale-archive
    httpd 9891 nobody mem REG 8,1 53392 311332 /usr/X11R6/lib/libXext.so.6.4
    httpd 9891 nobody mem REG 8,1 18632 458783 /lib/libnss_dns-2.3.2.so
    httpd 9891 nobody mem REG 8,1 51952 458877 /lib/libnss_files-2.3.2.so
    httpd 9891 nobody mem REG 8,1 32408 458852 /lib/libgcc_s-3.2.3-20040701.so.1
    httpd 9891 nobody mem REG 8,1 91040 458770 /lib/libnsl-2.3.2.so
    httpd 9891 nobody mem REG 8,1 121028 1163368 /usr/lib/libjpeg.so.62.0.0
    httpd 9891 nobody mem REG 8,1 139952 1163404 /usr/lib/libpng12.so.0.1.2.2
    httpd 9891 nobody mem REG 8,1 59676 311348 /usr/X11R6/lib/libXpm.so.4.11
    httpd 9891 nobody mem REG 8,1 907696 311322 /usr/X11R6/lib/libX11.so.6.2
    httpd 9891 nobody mem REG 8,1 1035798 1163395 /usr/lib/libfreetype.so.6.3.3
    httpd 9891 nobody mem REG 8,1 251559 1163352 /usr/lib/libmysqlclient.so.12.0.0
    httpd 9891 nobody mem REG 8,1 709488 1163462 /usr/lib/libstdc++.so.5.0.3
    httpd 9891 nobody mem REG 8,1 7857 3031904 /usr/local/apache/libexec/mod_auth_passthrough.so
    httpd 9891 nobody mem REG 8,1 8026 3031902 /usr/local/apache/libexec/mod_log_bytes.so
    httpd 9891 nobody mem REG 8,1 7741 3031901 /usr/local/apache/libexec/mod_bwlimited.so
    httpd 9891 nobody mem REG 8,1 3947713 3031242 /usr/local/apache/libexec/libphp4.so
    httpd 9891 nobody mem REG 8,1 59459 3031249 /usr/local/apache/libexec/mod_rewrite.so
    httpd 9891 nobody mem REG 8,1 52584 1163317 /usr/lib/libz.so.1.1.4
    httpd 9891 nobody mem REG 8,1 76540 458798 /lib/libresolv-2.3.2.so
    httpd 9891 nobody mem REG 8,1 72552 7897310 /usr/kerberos/lib/libk5crypto.so.3.0
    httpd 9891 nobody mem REG 8,1 5540 7897319 /usr/kerberos/lib/libcom_err.so.3.0
    httpd 9891 nobody mem REG 8,1 385252 7897109 /usr/kerberos/lib/libkrb5.so.3.1
    httpd 9891 nobody mem REG 8,1 76712 7897095 /usr/kerberos/lib/libgssapi_krb5.so.2.2
    httpd 9891 nobody mem REG 8,1 1571824 2687126 /lib/tls/libc-2.3.2.so
    httpd 9891 nobody mem REG 8,1 14868 458929 /lib/libdl-2.3.2.so
    httpd 9891 nobody mem REG 8,1 241464 1163272 /usr/lib/libexpat.so.0.4.0
    httpd 9891 nobody mem REG 8,1 976284 458883 /lib/libcrypto.so.0.9.7a
    httpd 9891 nobody mem REG 8,1 211908 458925 /lib/libssl.so.0.9.7a
    httpd 9891 nobody mem REG 8,1 22504 1163283 /usr/lib/libgdbm.so.2.0.0
    httpd 9891 nobody mem REG 8,1 23388 458764 /lib/libcrypt-2.3.2.so
    httpd 9891 nobody mem REG 8,1 213508 2687116 /lib/tls/libm-2.3.2.so
    httpd 9891 nobody mem REG 8,1 21436 2375872 /usr/lib/gconv/gconv-modules.cache
    httpd 9891 nobody mem REG 8,1 106912 458768 /lib/ld-2.3.2.so
    httpd 9891 nobody 0r CHR 1,3 34287 /dev/null
    httpd 9891 nobody 1w CHR 1,3 34287 /dev/null
    httpd 9891 nobody 2w REG 8,1 277156712 7422077 /usr/local/apache/logs/error_log
    httpd 9891 nobody 3u sock 0,0 36983549 can't identify protocol
    httpd 9891 nobody 4u unix 0xd1f65400 36931080 socket
    httpd 9891 nobody 5u unix 0xc391c080 36751581 socket
    httpd 9891 nobody 15w REG 8,1 277156712 7422077 /usr/local/apache/logs/error_log
    httpd 9891 nobody 16u IPv4 34207130 TCP *:https (LISTEN)
    httpd 9891 nobody 17u IPv4 34207131 TCP *:http (LISTEN)
    httpd 9891 nobody 18w REG 8,1 0 3214843 /usr/local/apache/domlogs/daf.dorjaan.net-bytes_log
    httpd 9891 nobody 19w REG 8,1 0 3214720 /usr/local/apache/domlogs/usa.gabinotravel.com-bytes_log
    httpd 9891 nobody 20w REG 8,1 0 3214214 /usr/local/apache/domlogs/frankpereiro.beisbolreport.com-bytes_log
    httpd 9891 nobody 21w REG 8,1 0 3214689 /usr/local/apache/domlogs/capri.oristel.com-bytes_log
    httpd 9891 nobody 22w REG 8,1 5853 3214776 /usr/local/apache/domlogs/estudioespiral.nu-cine.com-bytes_log
    httpd 9891 nobody 23w REG 8,1 55067 3214753 /usr/local/apache/domlogs/escueladecineonline.nu-cine.com-bytes_log
    httpd 9891 nobody 24w REG 8,1 2110 3214741 /usr/local/apache/domlogs/cortocircuito.nu-cine.com-bytes_log
    httpd 9891 nobody 25w REG 8,1 0 3214731 /usr/local/apache/domlogs/boletin.nu-cine.com-bytes_log
    httpd 9891 nobody 26w REG 8,1 144 3214726 /usr/local/apache/domlogs/asociacion.nu-cine.com-bytes_log
    httpd 9891 nobody 27w REG 8,1 69858 3214723 /usr/local/apache/domlogs/nu-cine.com-bytes_log
    httpd 9891 nobody 28w REG 8,1 0 3214649 /usr/local/apache/domlogs/ntforo.tonimix31.com-bytes

    ***
    ***
    *** (continues)

    I don´t think than this can be normal.

    Any idea ?


    Thanks very much.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    From all that, the /home/oristel/public_html/quefuerte is the active file and is what you should check out.
     
Loading...

Share This Page