High CPU load overnight and funny strace today.

RWH Tech

February 18, 2016 09:52

WHM 54.0 (build 15)- mod_ruid2, PHP-FPM for cpanel enabled. I've gotten high cpu warnings from CSF last night. Saw them this morning and figured people were attacking the server somehow. Processes belonged to nobody and named accounts. This morning I went into the Process manager and ran a trace on httpd owned by nobody. This is what I found. It looks like it's scanning an account and I've seen it do it to a different account. The beef is that I've never ran a trace before and don't know if this is normal. Looks suspicious as hell, to me, but I figured I'd post here and ask you guys. What do you think about the strace below? Done on a httpd process belonging to nobody and taking up 4% CPU in process manager.


lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc/Aitsys", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community/Aitoc", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code/community", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app/code", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html/app", {st_mode=S_IFDIR|0500, st_size=4096, ...}) = 0
lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0
open("/home/indian05/public_html/app/code/community/Aitoc/Aitsys/Model/Rewriter/Config.php", O_RDONLY) = 209
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 1229, PROT_READ, MAP_SHARED, 209, 0) = 0x7f5de0795000
fcntl(209, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(209, {st_mode=S_IFREG|0400, st_size=1229, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000
lseek(209, 0, SEEK_CUR)                 = 0
read(209, "

Comments

6 comments

syslint

February 18, 2016 15:07
Hi, I think it need more logs for trouble shooting this issue. You said you got the load on night. How is your backup configuration ? Do you have any type of heavy traffic on that time ?
0
RWH Tech

February 18, 2016 15:51
Process manager currently reports 4 httpd processes, owned by nobody, consuming 6%, 3% and two with 1% So, is it normal for httpd nobody be reading /home/blahblah? I'm wondering if I'm chasing ghosts. Trace on the process with 6% shows it hitting the magento install, again.
Process 19763 attached restart_syscall(<... resuming interrupted call ...>) = 0 writev(207, [{"\27\3\3\0)\236]*\375\307\357LUu\250.U)\235\343\na\376j\372\206\362BL)\252\353"..., 46}], 1) = 46 writev(207, [{"\25\3\3\0\32\236]*\375\307\357LVb^\5]\211\206\311C5c \237q\227\32\227*y", 31}], 1) = 31 shutdown(207, SHUT_WR) = 0 poll([{fd=207, events=POLLIN}], 1, 2000) = 0 (Timeout) close(207) = 0 read(10, 0x7ffeb529bf4b, 1) = -1 EAGAIN (Resource temporarily unavailable) semop(9830410, {{0, -1, SEM_UNDO}}, 1) = 0 epoll_wait(205, {}, 4, 10000) = 0 epoll_wait(205, {{EPOLLIN, {u32=87201208, u64=87201208}}}, 4, 10000) = 1 accept4(6, {sa_family=AF_INET, sin_port=htons(16616), sin_addr=inet_addr("77.75.76.167")}, [16], SOCK_CLOEXEC) = 207 semop(9830410, {{0, 1, SEM_UNDO}}, 1) = 0 getsockname(207, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("198.46.237.187")}, [16]) = 0 fcntl(207, F_GETFL) = 0x2 (flags O_RDWR) fcntl(207, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(207, "GET /robots.txt HTTP/1.1\r\nHost: "..., 8000) = 228 open("/dev/urandom", O_RDONLY) = 208 read(208, "\350\305\344\5\301s\344\213\237\342\302V\316\230zW\217\25\2742\205\24\272(\4G\317.\276\321\375\222"..., 64) = 64 close(208) = 0 open("/dev/urandom", O_RDONLY) = 208 read(208, "P*v\f\363\16\274^\250\243\351 \303\324\373\35\335\312\270\240\332#\264\364\375\23x9\216`x\23"..., 64) = 64 close(208) = 0 open("/var/cpanel/secdatadir/global.dir", O_RDONLY|O_CLOEXEC) = 208 open("/var/cpanel/secdatadir/global.pag", O_RDONLY|O_CLOEXEC) = 209 fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0 fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 fstat(208, {st_mode=S_IFREG|0777, st_size=0, ...}) = 0 lseek(209, 0, SEEK_SET) = 0 read(209, "", 1024) = 0 fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 close(208) = 0 close(209) = 0 open("/var/cpanel/secdatadir/ip.dir", O_RDONLY|O_CLOEXEC) = 208 open("/var/cpanel/secdatadir/ip.pag", O_RDONLY|O_CLOEXEC) = 209 fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0 fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 fcntl(208, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 fstat(208, {st_mode=S_IFREG|0777, st_size=4096, ...}) = 0 lseek(208, 0, SEEK_SET) = 0 read(208, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\373\371\377\377\377\367\377\377\177"..., 4096) = 4096 lseek(209, 31744, SEEK_SET) = 31744 read(209, "\0\0\312\3\247\2w\2T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024 fcntl(208, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 close(208) = 0 close(209) = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address) capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setgroups(0, []) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setgid(1019) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setuid(1019) = 0 prctl(PR_SET_DUMPABLE, 1) = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address) capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0 stat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory) open("/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 open("/home/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 open("/home/indian05/.htaccess", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 open("/home/indian05/public_html/.htaccess", O_RDONLY|O_CLOEXEC) = 208 fstat(208, {st_mode=S_IFREG|0755, st_size=6551, ...}) = 0 read(208, "#RewriteEngine On \n#RewriteCond "..., 4096) = 4096 read(208, "irectoryhere/.*$\n #RewriteCon"..., 4096) = 2455 read(208, "", 4096) = 0 close(208) = 0 lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529ba20) = -1 ENOENT (No such file or directory) capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address) capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setgroups(0, []) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setgid(1019) = 0 tgkill(19763, 19764, SIGRT_1) = 0 setuid(1019) = 0 prctl(PR_SET_DUMPABLE, 1) = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address) capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, 0}) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_SETGID|CAP_SETUID, 0}) = 0 open("/dev/urandom", O_RDONLY) = 208 read(208, "^3,\231\346\336\263\355$\247\25\360\17\226Jb]N\374\370\335\303\370sy<\250\35\356\245\275\217"..., 64) = 64 close(208) = 0 open("/dev/urandom", O_RDONLY) = 208 read(208, "\315\220\266\206\256g\233;\334\337\230\332&\372\207Z\340\2409\tb\213\275C\373\225:4\375l%\222"..., 64) = 64 close(208) = 0 stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory) stat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory) lstat("/home/indian05/public_html/robots.txt", 0x7ffeb529b970) = -1 ENOENT (No such file or directory) access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory) stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 stat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 access("/var/cpanel/bwlimited/indianrivergroves.com", F_OK) = -1 ENOENT (No such file or directory) setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, {0x7f5df609f175, [PROF], SA_RESTORER|SA_RESTART, 0x7f5df7918670}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 getcwd("/", 4095) = 2 chdir("/home/indian05/public_html") = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={18000, 0}}, NULL) = 0 lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 open("/home/indian05/public_html/index.php", O_RDONLY) = 208 fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000 munmap(0x7f5de0795000, 2614) = 0 close(208) = 0 lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home/indian05/public_html/index.php", {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 lstat("/home/indian05/public_html", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home/indian05", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 lstat("/home", {st_mode=S_IFDIR|0711, st_size=4096, ...}) = 0 open("/home/indian05/public_html/index.php", O_RDONLY) = 208 fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 mmap(NULL, 2614, PROT_READ, MAP_SHARED, 208, 0) = 0x7f5de0795000 fcntl(208, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE) fstat(208, {st_mode=S_IFREG|0400, st_size=2614, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5de0794000 lseek(208, 0, SEEK_CUR) = 0 read(208, " Here's a sample of one of the CSF CPU usage warning. Figured someone was hammering indian05. Backup was not running at the time, so all other processes were at 0% or pretty low. indian05 24790 4.9 6.1 515288 129028 ? Rl 00:15 0:40 \_ /usr/local/apache/bin/httpd -k start indian05 24791 2.8 5.4 504048 114964 ? Rl 00:15 0:23 \_ /usr/local/apache/bin/httpd -k start indian05 24831 4.9 5.6 505088 118060 ? Rl 00:15 0:40 \_ /usr/local/apache/bin/httpd -k start nobody 24850 2.4 4.3 494588 90640 ? Sl 00:16 0:19 \_ /usr/local/apache/bin/httpd -k start indian05 25011 3.6 5.5 503016 115660 ? Rl 00:17 0:26 \_ /usr/local/apache/bin/httpd -k start indian05 25695 6.1 5.4 503016 113632 ? Rl 00:21 0:30 \_ /usr/local/apache/bin/httpd -k start indian05 25705 7.0 5.4 503504 114380 ? Rl 00:21 0:35 \_ /usr/local/apache/bin/httpd -k start nobody 25706 4.1 4.3 494644 90932 ? Sl 00:21 0:20 \_ /usr/local/apache/bin/httpd -k start indian05 25708 5.0 5.4 503004 113700 ? Rl 00:21 0:25 \_ /usr/local/apache/bin/httpd -k start indian05 25710 4.5 5.4 504036 114876 ? Rl 00:21 0:22 \_ /usr/local/apache/bin/httpd -k start indian05 25711 3.1 5.5 505288 116524 ? Rl 00:21 0:15 \_ /usr/local/apache/bin/httpd -k start nobody 25733 4.3 4.3 494644 90928 ? Sl 00:21 0:21 \_ /usr/local/apache/bin/httpd -k start nobody 25734 4.3 4.3 494644 91124 ? Sl 00:21 0:21 \_ /usr/local/apache/bin/httpd -k start indian05 25737 5.3 5.4 504296 114168 ? Rl 00:21 0:26 \_ /usr/local/apache/bin/httpd -k start indian05 25747 3.9 5.6 507104 119004 ? Rl 00:21 0:19 \_ /usr/local/apache/bin/httpd -k start indian05 25749 4.1 5.4 503796 114412 ? Rl 00:21 0:20 \_ /usr/local/apache/bin/httpd -k start indian05 25783 5.4 5.4 504312 114280 ? Sl 00:21 0:26 \_ /usr/local/apache/bin/httpd -k start indian05 25788 2.8 4.9 495156 104856 ? Rl 00:21 0:14 \_ /usr/local/apache/bin/httpd -k start nobody 25790 4.2 4.3 494644 90804 ? Sl 00:21 0:20 \_ /usr/local/apache/bin/httpd -k start indian05 25813 4.6 4.3 494644 92116 ? Rl 00:21 0:22 \_ /usr/local/apache/bin/httpd -k start nobody 25817 4.9 4.3 494644 90804 ? Sl 00:21 0:23 \_ /usr/local/apache/bin/httpd -k start indian05 25818 3.0 5.4 503424 114268 ? Rl 00:21 0:14 \_ /usr/local/apache/bin/httpd -k start nobody 25844 5.1 4.3 494644 90832 ? Sl 00:21 0:24 \_ /usr/local/apache/bin/httpd -k start indian05 26080 6.5 5.4 503048 113688 ? Rl 00:21 0:29 \_ /usr/local/apache/bin/httpd -k start indian05 26083 3.2 5.2 495132 109216 ? Rl 00:21 0:14 \_ /usr/local/apache/bin/httpd -k start indian05 26141 2.5 4.4 495040 93512 ? Rl 00:22 0:11 \_ /usr/local/apache/bin/httpd -k start indian05 26442 6.0 5.4 504280 114316 ? Rl 00:23 0:19 \_ /usr/local/apache/bin/httpd -k start indian05 26667 6.7 5.4 504316 114516 ? Rl 00:24 0:17 \_ /usr/local/apache/bin/httpd -k start indian05 26737 3.6 5.4 503264 114140 ? Rl 00:25 0:09 \_ /usr/local/apache/bin/httpd -k start indian05 26750 3.6 5.4 503264 113664 ? Rl 00:25 0:09 \_ /usr/local/apache/bin/httpd -k start indian05 26751 6.5 5.4 504072 114708 ? Rl 00:25 0:16 \_ /usr/local/apache/bin/httpd -k start nobody 26753 4.5 4.3 494644 90832 ? Sl 00:25 0:11 \_ /usr/local/apache/bin/httpd -k start indian05 27750 4.1 4.4 495160 94056 ? Rl 00:27 0:04 \_ /usr/local/apache/bin/httpd -k start indian05 27752 4.1 4.4 495156 94068 ? Rl 00:27 0:04 \_ /usr/local/apache/bin/httpd -k start indian05 27753 3.9 4.4 495156 93676 ? Sl 00:27 0:04 \_ /usr/local/apache/bin/httpd -k start nobody 27809 2.5 4.3 494644 90800 ? Sl 00:27 0:02 \_ /usr/local/apache/bin/httpd -k start nobody 28004 0.0 3.4 484912 71368 ? Sl 00:29 0:00 \_ /usr/local/apache/bin/httpd -k start nobody 28013 0.0 3.4 484912 71372 ? Sl 00:29 0:00 \_ /usr/local/apache/bin/httpd -k start nobody 28018 0.0 3.4 484912 71368 ? Sl 00:29 0:00 \_ /usr/local/apache/bin/httpd -k start
0
cPanelMichael

February 18, 2016 18:36
Hello :) You may also find the following thread helpful if you have not yet reviewed it: Troubleshooting high server loads on Linux servers Thank you.
0
RWH Tech

February 18, 2016 18:59
Hey, Michael. I hadn't read about that sar utility, so I thank you for the link and will add do some digging into last night's activity with it. The CPU load isn't my real concern, but what httpd with nobody as owner is doing in that first post. Is that legitimate behaviour?
0
cPanelMichael

February 18, 2016 19:14
It's normal for Apache to run as the "nobody" user. The trace output you provided does not suggest anything that's necessarily malicious. It's showing you which files are processed. You may need to review the user in question, or consider suspending the account to see if usage drops to normal. Thank you.
0
RWH Tech

February 18, 2016 19:30
Thanks, mister. I will dig further into the CPU usage/etc as time permits.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?