Unknown Processes within cPanel!!!
I'm noticing very strange processes in user's cPanel accounts which also cause spikes in resource usage. The process manager traces the following output:
[QUOTE]strace: Process 3200637 attached
select(5, [4], NULL, NULL, {tv_sec=0, tv_usec=564965}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
munmap(0x2ad86cb8b000, 4096) = 0
select(5, [4], NULL, NULL, {tv_sec=1, tv_usec=0}) = 0 (Timeout)
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ad86cb8b000
read(6, "MemTotal: 61678592 kB\nMemF"..., 1024) = 1024
close(6) = 0
I'll appreciate your guidance in this regard.
I'll appreciate your guidance in this regard.
-
Could you also attach the output of ps aux with the name of the suspicious process(es) you see? 0 -
Pid Owner Priority CPU % Memory % Command 3329173 (Trace) (Kill) cPanel User 0 5.69 0.03 lsphp 3329136 (Trace) (Kill) cPanel User 0 0.85 0.03 lsphp 3329131 (Trace) (Kill) cPanel User 0 0.69 0.03 lsphp 0 -
LSPHP aka ListeSpeedPHP is a system process used to handle PHP requests of the websites. You see spikes when the traffic is high and this is absolutely normal. 0 -
None of that looks odd to me either. I think your initial strace just happened to be getting the portion of the command that was looking at the meminfo file, but that wasn't actually the root command that was running. It's normal to see multiple lsphp processes running on the machine, and each one can take up some CPU power while it processes. 0
Please sign in to leave a comment.
Comments
4 comments