The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server overload with user nobody

Discussion in 'General Discussion' started by wekke, Jan 9, 2005.

  1. wekke

    wekke Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    hi,

    have a big problem with the server load at teh moment
    the user nobody is running alot of the same procces

    12007 nobody 0 3.6 0.3 /usr/local/apache/bin/httpd -DSSL
    12019 nobody 0 3.6 0.3 /usr/local/apache/bin/httpd -DSSL
    12125 nobody 0 3.5 0.3 /usr/local/apache/bin/httpd -DSSL
    12142 nobody 0 3.5 0.3 /usr/local/apache/bin/httpd -DSSL
    12305 nobody 0 3.5 0.3 /usr/local/apache/bin/httpd -DSSL
    12378 nobody 0 3.5 0.3 /usr/local/apache/bin/httpd -DSSL
    11516 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11555 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11589 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11656 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11773 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11798 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11811 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    11902 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    12157 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    12251 nobody 0 3.3 0.3 /usr/local/apache/bin/httpd -DSSL
    12273 nobody 0 3.1 0.3 /usr/local/apache/bin/httpd -DSSL
    11601 nobody 0 2.9 0.3 /usr/local/apache/bin/httpd -DSSL
    12105 nobody 0 2.9 0.3 /usr/local/apache/bin/httpd -DSSL
    12048 nobody 0 2.8 0.3 /usr/local/apache/bin/httpd -DSSL
    11792 nobody 0 2.6 1.0 /usr/local/apache/bin/httpd - D5SL
    12301 nobody 0 1.4 0.6 /usr/local/apache/bin/httpd - D5SL

    is there a way i can prevent that the user nobody is running this procces.
    if i kill all proces ownd by user nobody the serverload wil be back normal but after 5 minutes all procces will come back up running by this user.
     
  2. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    the httpd processes are run by nombody are your Apache webserver. The more users you have connected, the more processes and the more CPU required.
     
  3. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    The last two are not apache processes. They're the wrong size and it says -D5SL not -DSSL - you've got a worm that installed itself (most likely via an outdated version of phpbb) on your system and is attempting to disguise itself as apache processes.

    phpsuexec stops things like this being so hard to spot. Stop apache and you'll see there's some processes still running that look like apache. kill them all off, and then start hunting through your box to find out of date phpbb installations.

    You may well find there's a number of worm processes that have -DSSL in as well - whatever's still running that claims to be apache after you've stopped it, kill it off. You'll need to be relatively quick about this because chkserv will restart apache after a short while.
     
  4. wekke

    wekke Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    after a search i find out that the ssh.D.Worm is on the server and running all this procces so i chmodded wget to 700 for now and the server load is back normal.
     
  5. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Glad to hear it.

    I recommend you try and find out how it's getting in to your box as there's many ways other than wget which can get worms like that onto your machine so preventing the use of wget will only shore things up for a little while :)
     
  6. SACHIN

    SACHIN Guest

    how u find ssh.d.worm?

    Hello

    i have same problem how u find the worm?
    please provdie me the steps for solution...


    i have smae problem user = nobody and process - -DSSL

    :confused:
     
  7. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    /etc/init.d/httpd stop

    ps auxw

    if there are no httpd processes left, there's likely no worm. If you're still seeing some left using a lot of cpu, you probably have the worm. You'll need to find out how they're getting into the machine, but to lower the load in the interrim just kill off all the processes that are still running.

    then /etc/init.d/httpd start afterwards to bring apache back up.
     
  8. SACHIN

    SACHIN Guest

    Another problem

    I have stop the httpd and checked following

    ps auxww |grep httpd
    root 32039 0.0 0.1 5112 604 pts/2 R 11:29 0:00 grep httpd

    It is fine. when i started httpd services
    i am getting following result...
    32094 nobody 16 0 14432 7464 3704 S 17.5 1.5 0:00.55 httpd
    many nobdoy users with max cpu usages..
    what is the solution... i am unable to get any website server is too slow...

    i have run lates update too.. no use...
    should i update apache with easeapache?
    will it fix?
    or do you have any other idea?

    :confused:
     
Loading...

Share This Page