The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

user nobody causing ridiculous CPU usage

Discussion in 'General Discussion' started by tnndotnet, Mar 13, 2006.

  1. tnndotnet

    tnndotnet Registered

    Joined:
    Mar 13, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hey,

    Ive posted this on webhostingtalk and I tried searching the forums and found things similar to my problem, but I did not see a definate resolution and I am quite concerned.

    The people on webhostingtalk said I should chmod files and all this, and I dont want to do this because I dont want to mess cPanel up at all. Ever.

    Something is happening randomly during the day that the Process owner 'nobody' is using upto 40.36 CPU, which seems insanely insane!

    The server comes to a crawl and I cannot do anything, accessing shell is a task to do.

    The process that keeps on shooting thru the roof is /usr/sbin/proftpd

    I use pure-ftpd on this server, so I dont understand why that is coming into play.

    I also noticed this morning a sh command being executed that was doing a wget to a lol.txt file.

    So I am quite concerned, and have no idea what to do, I cant keep killing processes just to keep my server up for an hour or two. Is there anything I can do that wont mess up my cPanel installation?

    The problem is not happening right now, it happened like 10 minutes ago, and I killed all the processes from 'nobody' just to get my server somewhat stable again.

    I read about files in the /tmp file being exploits maybe. And in that sh command (that was doing the wget to lol.txt), i saw a file which was located in /tmp named alekshah

    I am quite concerned.

    Any advice would be much appreciated.

    I am running Fedora Core 4 using: WHM 10.8.0 cPanel 10.8.1-R113

    Thanks in advance,

    Daniel Kelly
     
  2. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    You need to get someone into your server.

    Via ssh type :

    more alekshah

    You also need to execute the following command since ftp is causing you grief

    find / -name "*.rar" -print
    find / -name "*.zip" -print
    find / -name "*.nfo" -print

    This will help you locate any warez dumps on your box just in case.


    The rest .. i would suggest www.configservers.com to secure your box and help further.
    Money well spent for peace of mind.
    I use them.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Since you tried different possible solutions without much success. Did you search these forums for possible solution? If none worked, it is really hard to say without looking into your box.
     
    #3 AndyReed, Mar 14, 2006
    Last edited: Mar 14, 2006
  4. tnndotnet

    tnndotnet Registered

    Joined:
    Mar 13, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I actually tried to disable the nobody option in the settings.

    It has not given me an issue as of last night.

    I also deleted all alekshah files I found, they were in my /tmp directory.

    I mean, it is a good idea to do the server hardening, but the fact remains that I would like to be able to resolve security issues with the machine itself, but I am still in need of help here. It is an interesting dillema.

    I just think there is some sort of exploit... does cpanel accept tickets to fix this? I was told to just install cpanel on a blank server install, I didnt install selinux or anything. Would this be a problem? And does cPanel fix these issues?

    Thanks,

    Dan
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    The issue you have in hand is not cPanel related for cPanel engineers to look into your server. Have you installed Mod Security. Mod Evasive, and other security applications? There are many threads that discuss security issues and how to harden your server. Hope this helps!
     
Loading...

Share This Page