Skip to main content

Heavy load on cPanel server

Comments

6 comments

  • techAMIGO
    Hi Elizabeta, To begin, use the following commands to identify the processes that are consuming high CPU and memory. That would be the cause of the server's heavy load. 1. top 2. htop 3. nice top -c - Click shift + p to get the processes which consuming high CPU - Click shift + m to get the processes which consuming high Memory Get me the screenshot of those commands. So that we can identify the process. Regarding FTP, If you're using proftpd service, the log file will be /var/log/proftpd/proftpd.log
    0
  • Elizabeta
    Hello, Now, load is normal, but yesterday was problem. Screenshot now top - 09:13:29 up 28 days, 1:03, 1 user, load average: 1.82, 0.99, 0.62 Tasks: 203 total, 3 running, 198 sleeping, 0 stopped, 2 zombie %Cpu(s): 50.3 us, 19.1 sy, 0.0 ni, 30.3 id, 0.0 wa, 0.0 hi, 0.2 si, 0.2 st KiB Mem : 24513068 total, 6128752 free, 4315644 used, 14068672 buff/cache KiB Swap: 8257532 total, 8033276 free, 224256 used. 19224372 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5143 skolska+ 20 0 292660 100380 9100 S 58.3 0.4 0:01.76 php-cgi 1 root 20 0 126436 4684 2408 S 4.3 0.0 62:12.78 systemd 5107 root 20 0 160320 2372 1564 R 1.0 0.0 0:00.05 top 24691 mysql 20 0 1522180 725280 7704 S 1.0 3.0 216:25.63 mysqld 28989 cpanels+ 20 0 3099668 717908 7256 S 1.0 2.9 90:50.61 java 3903 nobody 20 0 241140 16628 2916 S 0.7 0.1 0:00.20 httpd 5138 root 20 0 0 0 0 Z 0.7 0.0 0:00.02 whostmgrd - ser 9 root 20 0 0 0 0 R 0.3 0.0 101:01.34 rcu_sched 717 root 20 0 21536 1148 972 S 0.3 0.0 6:55.92 irqbalance 2406 root 20 0 204952 19468 4140 S 0.3 0.1 23:36.21 tailwatchd 2407 root 20 0 190160 12308 3276 S 0.3 0.1 4:51.77 cPhulkd - proce 2880 wp-tool+ 20 0 389784 32616 7324 S 0.3 0.1 36:13.04 run-script 4595 root 20 0 167348 6544 5036 S 0.3 0.0 0:00.18 sshd 4889 skolska+ 20 0 241152 16352 2708 S 0.3 0.1 0:00.03 httpd 28530 dovecot 20 0 41228 3084 2316 S 0.3 0.0 0:00.95 auth 2 root 20 0 0 0 0 S 0.0 0.0 0:01.23 kthreadd 4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H 6 root 20 0 0 0 0 S 0.0 0.0 0:50.33 ksoftirqd/0 7 root rt 0 0 0 0 S 0.0 0.0 0:37.88 migration/0 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh 10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain 11 root rt 0 0 0 0 S 0.0 0.0 0:27.95 watchdog/0 12 root rt 0 0 0 0 S 0.0 0.0 0:25.62 watchdog/1 13 root rt 0 0 0 0 S 0.0 0.0 0:37.88 migration/1 14 root 20 0 0 0 0 S 0.0 0.0 2:27.92 ksoftirqd/1 16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/1:0H 18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs 19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns 20 root 20 0 0 0 0 S 0.0 0.0 0:00.05 xenwatch 21 root 20 0 0 0 0 S 0.0 0.0 0:05.75 xenbus 23 root 20 0 0 0 0 S 0.0 0.0 0:02.23 khungtaskd nice top -c Shift + p 5476 igh1 20 0 375800 33360 22908 R 28.0 0.1 0:00.85 /opt/cpanel/ea-php72/root/usr/bin/php-cgi 5475 root 20 0 0 0 0 Z 1.3 0.0 0:00.04 [cpsrvd (SSL) - ] 28989 cpanels+ 20 0 3099668 717908 7256 S 1.0 2.9 90:52.05 /usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:+UseG1GC -XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250 -XX:+UseLargePage+ 5228 root 30 10 160352 2464 1652 R 0.7 0.0 0:00.71 top -c 1 root 20 0 126436 4684 2408 S 0.3 0.0 62:12.87 /usr/lib/systemd/systemd --switched-root --system --deserialize 22 9 root 20 0 0 0 0 S 0.3 0.0 101:01.64 [rcu_sched] 652 root 20 0 0 0 0 S 0.3 0.0 10:09.38 [xfsaild/dm-2] 1302 root 20 0 228344 8132 4624 S 0.3 0.0 576:33.43 /usr/sbin/snmpd -LS0-6d -f 1312 root 20 0 255488 29092 7700 S 0.3 0.1 12:52.27 cpsrvd (SSL) - waiting for connections 2406 root 20 0 204952 19468 4140 S 0.3 0.1 23:36.28 tailwatchd 4252 root 20 0 0 0 0 S 0.3 0.0 0:00.21 [kworker/1:1] 4344 nobody 20 0 241144 16744 3036 S 0.3 0.1 0:00.13 /usr/sbin/httpd -k start 4889 igh1 20 0 241152 16484 2836 S 0.3 0.1 0:00.05 /usr/sbin/httpd -k start 5300 root 20 0 0 0 0 S 0.3 0.0 0:00.05 [kworker/1:0] 5411 root 20 0 190160 11180 1656 S 0.3 0.0 0:00.02 cPhulkd - processor - http socket 11258 root 20 0 153236 11888 3260 S 0.3 0.0 14:29.87 cPhulkd - dbprocessor 2 root 20 0 0 0 0 S 0.0 0.0 0:01.23 [kthreadd] 4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/0:0H] 6 root 20 0 0 0 0 S 0.0 0.0 0:50.33 [ksoftirqd/0] 7 root rt 0 0 0 0 S 0.0 0.0 0:37.88 [migration/0] 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [rcu_bh] 10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [lru-add-drain] Shift + m top - 09:17:19 up 28 days, 1:07, 1 user, load average: 0.18, 0.53, 0.51 Tasks: 194 total, 1 running, 192 sleeping, 0 stopped, 1 zombie %Cpu(s): 0.3 us, 0.5 sy, 0.2 ni, 98.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.2 st KiB Mem : 24513068 total, 6243632 free, 4200312 used, 14069124 buff/cache KiB Swap: 8257532 total, 8033276 free, 224256 used. 19339708 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1294 root 20 0 1603276 1.2g 3896 S 0.0 5.1 1:55.07 /usr/local/cpanel/3rdparty/bin/clamd -F 24691 mysql 20 0 1522180 725280 7704 S 0.0 3.0 216:27.24 /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid 28989 cpanels+ 20 0 3099668 717908 7256 S 1.3 2.9 90:53.39 /usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:+UseG1GC -XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250 -XX:+UseLargePage+ 1540 root 20 0 1512136 197092 161464 S 0.3 0.8 11:26.97 /opt/commvault/Base/cvd 20171 named 20 0 308204 157332 3692 S 0.0 0.6 11:00.62 /usr/sbin/named -u named -c /etc/named.conf 18555 root 20 0 258156 126160 5668 S 0.0 0.5 0:22.34 /usr/local/cpanel/3rdparty/perl/536/bin/perl -T -w /usr/local/cpanel/3rdparty/bin/spamd --max-spare=1 --max-children=3 --max-children=12 --max-spare=3 --allowed-ips=12+ 20670 root 20 0 259436 123592 1908 S 0.0 0.5 0:08.65 spamd child 20671 root 20 0 258156 121932 1472 S 0.0 0.5 0:00.02 spamd child 20672 root 20 0 258156 121932 1472 S 0.0 0.5 0:00.03 spamd child 3157 root 20 0 1529792 81988 5148 S 0.0 0.3 19:55.13 /opt/ds_agent ds_am -g ../diag -v 5 -d /var/opt/ds_agent/am -m /opt/ds_agent/lib/libvmpd_full_scan.so -m /opt/ds_agent/lib/libvmpd_scanctrl.so -m /opt/ds_agent/lib/lib+ 1542 root 20 0 980456 55888 38712 S 0.0 0.2 3:13.74 /opt/commvault/Base/ClMgrS 5986 root 20 0 578936 55376 9444 S 0.0 0.2 7:33.46 /opt/imunify360/venv/bin/python3 -m imav.run 2313 root 20 0 1049484 36976 5780 S 0.0 0.2 66:56.63 /opt/ds_agent/ds_agent -w /var/opt/ds_agent -b -i -e /opt/ds_agent/ext 2880 wp-tool+ 20 0 389784 32616 7324 S 0.3 0.1 36:13.29 /usr/bin/sw-engine /usr/local/cpanel/3rdparty/wp-toolkit/bin/run-script background-tasks-executor.php 1312 root 20 0 255488 29092 7700 S 0.0 0.1 12:52.30 cpsrvd (SSL) - waiting for connections I have Pure-FTPD and I see logs in /var/log/messages But, I see /usr/local/cpanel/logs, more session_log [2023-10-27 16:35:11 +0200] info [cpaneld] 86.216.79.77 NEW ezgrupa1:M42Nm82j8fUmlRkd address=86.216.79.77,app=cpaneld,creator=ezgrupa1,method=handle_form_login,path=form,possessed=0 [2023-10-28 20:05:44 +0200] info [cpsrvd] internal PURGE ezgrupa1:M42Nm82j8fUmlRkd expire Is this a successful cpanel connection? I'm afraid there was some intrusion. How can I check the server for possible malicious content? Best regards, Elizabeta
    0
  • cPRex Jurassic Moderator
    Yes, that does look like a successful connection to cPanel by someone from that IP address. If you aren't familiar with that IP address, it's possible the account password is compromised. This would not indicate a root-level compromise on the server. It would be best to have a system administrator experienced in security review the system, both for the load issues and for possible compromises. Your hosting provider may be able to help with that work.
    0
  • Elizabeta
    Hello, This account ezgrupa1 does not exist on server.... It's strange that there was an intrusion because ssh is blocked for all but our three addresses from the company.. Is there any command how I can check for possible malicious content on the server? Best regards, Elizabeta
    0
  • cPRex Jurassic Moderator
    I wish it was that easy - if there were one or two commands that could be used to identify security issues for certain, that would be amazing. Unfortunately it would be best to work with an admin that is familiar with server security and have them check the system.
    0
  • SimpleSonic
    I wish it was that easy - if there were one or two commands that could be used to identify security issues for certain, that would be amazing. Unfortunately it would be best to work with an admin that is familiar with server security and have them check the system.

    We all wish it were that easy :)
    0

Please sign in to leave a comment.