High CPU apache nobody
Hi all I have been noticing over the past several days that my server is running high cpu loads. Apache seems to be using lots of resources.
WHM Version 11.52.1
here is my top c
I took a look at the apache status and this is what I several examples doing this.
These are wordpress related site as far as I can tell. Any ideas guys.
402144 nobody 25 0 106m 17m 2544 R 96.1 0.1 3610:34 /usr/local/apache/bin/httpd -k start
938937 nobody 25 0 106m 17m 2492 R 94.7 0.1 1266:33 /usr/local/apache/bin/httpd -k start
375189 nobody 25 0 106m 18m 3308 R 86.5 0.1 3690:47 /usr/local/apache/bin/httpd -k start
831981 nobody 25 0 106m 17m 2840 R 82.9 0.1 1568:29 /usr/local/apache/bin/httpd -k start
520440 nobody 25 0 106m 17m 2572 R 78.2 0.1 9:57.52 /usr/local/apache/bin/httpd -k start
334131 nobody 25 0 106m 17m 2540 R 76.6 0.1 152:36.85 /usr/local/apache/bin/httpd -k start
536651 nobody 25 0 106m 18m 3304 R 58.8 0.1 3239:22 /usr/local/apache/bin/httpd -k start
463360 nobody 25 0 106m 18m 3564 R 55.5 0.1 3428:20 /usr/local/apache/bin/httpd -k start
524587 nobody 25 0 106m 17m 2520 R 46.2 0.1 3269:37 /usr/local/apache/bin/httpd -k start
514475 nobody 25 0 106m 17m 2520 R 45.9 0.1 3291:24 /usr/local/apache/bin/httpd -k start I took a look at the apache status and this is what I several examples doing this.
0-0 463360 0/58/7769 W 44.03 218992 0 0.0 5.16 212.55 XX.XX.XX.XXX XXXX.com:80 POST //xmlrpc.php HTTP/1.0
These are wordpress related site as far as I can tell. Any ideas guys.
-
Are you running DSO? If yes, you may want to run easyapache and select mod_ruid2 as it will allow the processes to run as the cPanel user. You can use LSOF to help as well, example: # lsof -p 15732 |grep /home httpd 15732 CPUSER 48r REG 182,193729 321284 1460018 /home/CPUSER/public_html/domain.com/themes/default-bootstrap/cache/v_47_1de9935608a5fce3cc504e3fd414df59.js
You can also tail all domlogs and see if any are being spammed, from what you posted it looks like someone is spamming the xmlrpc.php# tail -f /usr/local/apache/domlogs/*/*
On our shared servers, we disable access to xmlrpc.php globally except for Jetpack, if you go to WHM > [LIST]- Home "
- Service Configuration "
- Apache Configuration "
- Include Editor Then select "Pre VirtualHost Include" and put in:
Order Deny,Allow # Whitelist Jetpack/ Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Deny from all
This will stop the attack and prevent it from happening on all sites.0 -
Howdy, What versions of apache/php/wordpress are you using? Also it's not a bad idea to strace one of those run away apache processes to find out what's going on. Thanks! 0 -
I am running suphp and php version 5.5.30. The versions of wordpress are all different. Some are up to date some are not. I tailed the logs and and it looks like they are not being spammed. It just looks like this process just sits there using resources. I am going to add the include editor like you suggested. Thanks I tried to do a strace and got: # strace -p 164328 Process 164328 attached - interrupt to quit
Thanks guys0 -
I've seen this for a while. This is more likely an xmlrpc amplification attack. Brute Force Amplification Attacks Against WordPress XMLRPC - Sucuri Blog If you search the attacker IP, you will see another POST a few minutes before the xmlrpc.php. The 1st POST size is big, I suspect it contains many username/password combinations. In 2nd POST, it just brute force the login until tried all combinations. The process seems do not exit after it finish. If you strace the process, you probability see no activity. You can only catch it when it just start. Besides xmlrpc attack, I saw some other nobody process can use high CPU. 0 -
Thanks guys I appreciate it. The fix of not allowing access to that file except by jet back worked great. 0
Please sign in to leave a comment.
Comments
5 comments