Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tracing high cpu process ID

Discussion in 'General Discussion' started by kernow, Oct 15, 2017.

  1. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Am trying to trace the source of a command ( ./cache.sh) a user is running as its using 200% cpu.
    'top' just shows the command not whats calling it:
    Code:
       PID    USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                                                   
     787626 xxxxxxxx  39  19  382m 5616 1108 S 200.4  0.0  39:39.48 ./cache.sh 
    Strace gives me nothing readable I can understand on the PID:
    Code:
    strace -p 787626   
    Process 787626 attached
    restart_syscall(<... resuming interrupted call ...>) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 17000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 170000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 6000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 180000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 2000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
    nanosleep({0, 176000000}, 0x7fff2a6457b0) = 0
    open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory
    Code:
    strace -c -p 787626
    Process 787626 attached
    ^CProcess 787626 detached
    % time     seconds  usecs/call     calls    errors syscall
    ------ ----------- ----------- --------- --------- ----------------
    100.00    0.012998         137        95           nanosleep
      0.00    0.000000           0        96        96 open
      0.00    0.000000           0         1           restart_syscall
    Any other ideas I could try please?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi,

    Did you verify there is no parent process? You could do this with `ps auxwwwf' or `ps -o ppid= -p $pid|xargs -I {} ps -p {}'. I'd also check if this was ran by the user's cron, via `/var/log/cron' or `crontab -lu $user'. You may also check the user's `.bash_history'; however, this won't be updated until they've logged out of their current session.

    Running `lsof -np $pid' should also tell you the CWD(current working directory) of the script.

    Thanks,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Hi, thanks for the reply. Not much luck so far.
    `ps auxwwwf' doesn't say more than 'top' does:
    Code:
    username  708475  198  0.0 391260  5724 ?        SNl  08:18 939:06 ./cache.sh
    The user has no cron jobs and no bash history. shell is 'jailshell'
    `lsof -np $pid' says the CWD is /home/user/tmp but the only contents are the usual stats directories.
    Code:
    ls -a
    ./  ../  analog/  awstats/  cpbandwidth/  logaholic/  webalizer/  webalizerftp
    Other info from that command I'm not sure how to interpret:
    Code:
    COMMAND     PID     USER   FD   TYPE             DEVICE  SIZE/OFF      NODE NAME
    cache.sh 708475 username  cwd    DIR                9,2      4096  17064158 /home/username/tmp
    cache.sh 708475 username  rtd    DIR                9,7      4096    529789 /
    cache.sh 708475 username  txt    REG                9,2   1434496  17057782  (deleted)/home/username/tmp/cache.sh
    cache.sh 708475  username mem    REG                9,1   1924768    286822 /lib64/libc-2.12.so
    cache.sh 708475  username mem    REG                9,1    596864    287058 /lib64/libm-2.12.so
    cache.sh 708475 username  mem    REG                9,1     44472    287112 /lib64/librt-2.12.so
    cache.sh 708475  username mem    REG                9,1    143280    287101 /lib64/libpthread-2.12.so
    cache.sh 708475  username mem    REG                9,1    159312    286733 /lib64/ld-2.12.so
    cache.sh 708475  username   0r   CHR                1,3       0t0    530441 /dev/null
    cache.sh 708475  username  1w   CHR                1,3       0t0    530441 /dev/null
    cache.sh 708475 username    2w   REG                9,6 316063411   3934381  (deleted)/var/log/apache2/error_log.bkup
    cache.sh 708475  username   3u   REG                9,2         0  17057766  (deleted)/tmp/ZCUDEhT43K
    cache.sh 708475   username  4u  IPv4          564620419       0t0       TCP XXXXXXXX:36491->139.162.196.236:http (ESTABLISHED)
    cache.sh 708475  username   6u   CHR                1,3       0t0    530441 /dev/null
    cache.sh 708475   username 7u  unix 0xffff880de4810100       0t0 564620406 /var/run/mod_lsapi/lsapi_application-x-httpd-ea-php56___lsphp_909_domain.tv.sock
    cache.sh 708475 username 1744w   REG                9,6   5319505   3933830 /var/log/apache2/sulsphp_log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    You may want to reach out to your host or system administrator to check further. You can open a ticket with us, but we mainly offer support with cPanel related issued; although, we will perform a basic investigation as a courtesy.

    The `lsof' command just checks the processes file descriptors or "open files". The Apache connection, as well as the lsphp socket, is concerning. PHP generally shouldn't be executing bash scripts. If this user hasn't logged in, has no cron jobs, and this is process continualy reappears, I would check PHP requests in the domain logs around the time the process started, as well as any persistent processes under the same username. You may also check for requests made from the IP referenced in the `lsof' output.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Thanks for your suggestions, appreciated.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to review the account's home directory to see if a file matching that name exists, and if so, review the contents of the file to determine it's purpose.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice