Operating System & Version
CLOUDLINUX 7.9 kvm

Ghani8856

Registered
May 29, 2020
4
0
1
United States
cPanel Access Level
Root Administrator
I'm noticing very strange processes in user's cPanel accounts which also cause spikes in resource usage. The process manager traces the following output:

strace: Process 3200637 attached
select(5, [4], NULL, NULL, {tv_sec=0, tv_usec=564965}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0

I'll appreciate your guidance in this regard.
 

Attachments

andrew.n

Well-Known Member
Jun 9, 2020
633
183
43
EU
cPanel Access Level
Root Administrator
Could you also attach the output of ps aux with the name of the suspicious process(es) you see?
 

Ghani8856

Registered
May 29, 2020
4
0
1
United States
cPanel Access Level
Root Administrator
PidOwnerPriorityCPU %Memory %Command
3329173 (Trace) (Kill)cPanel User0
5.69
0.03lsphp
3329136 (Trace) (Kill)cPanel User0
0.85
0.03lsphp
3329131 (Trace) (Kill)cPanel User0
0.69
0.03lsphp

The name of those processes are termed "lsphp"
 

andrew.n

Well-Known Member
Jun 9, 2020
633
183
43
EU
cPanel Access Level
Root Administrator
LSPHP aka ListeSpeedPHP is a system process used to handle PHP requests of the websites. You see spikes when the traffic is high and this is absolutely normal.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,494
1,009
313
cPanel Access Level
Root Administrator
None of that looks odd to me either. I think your initial strace just happened to be getting the portion of the command that was looking at the meminfo file, but that wasn't actually the root command that was running. It's normal to see multiple lsphp processes running on the machine, and each one can take up some CPU power while it processes.