Tracing high cpu process ID

kernow

October 15, 2017 05:12

Am trying to trace the source of a command ( ./cache.sh) a user is running as its using 200% cpu. 'top' just shows the command not whats calling it:

   PID    USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                                                   
 787626 xxxxxxxx  39  19  382m 5616 1108 S 200.4  0.0  39:39.48 ./cache.sh

Strace gives me nothing readable I can understand on the PID:

strace -p 787626   
Process 787626 attached
restart_syscall(<... resuming interrupted call ...>) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 17000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 170000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 6000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 180000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 2000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory)
nanosleep({0, 176000000}, 0x7fff2a6457b0) = 0
open("kill", O_RDONLY)                  = -1 ENOENT (No such file or directory

strace -c -p 787626
Process 787626 attached
^CProcess 787626 detached
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
100.00    0.012998         137        95           nanosleep
  0.00    0.000000           0        96        96 open
  0.00    0.000000           0         1           restart_syscall

Any other ideas I could try please?

Comments

6 comments

cPWilliamL

October 16, 2017 15:40
Hi, Did you verify there is no parent process? You could do this with `ps auxwwwf' or `ps -o ppid= -p $pid|xargs -I {} ps -p {}'. I'd also check if this was ran by the user's cron, via `/var/log/cron' or `crontab -lu $user'. You may also check the user's `.bash_history'; however, this won't be updated until they've logged out of their current session. Running `lsof -np $pid' should also tell you the CWD(current working directory) of the script. Thanks,
0
kernow

October 16, 2017 16:29
Hi, thanks for the reply. Not much luck so far. `ps auxwwwf' doesn't say more than 'top' does:
username 708475 198 0.0 391260 5724 ? SNl 08:18 939:06 ./cache.sh
The user has no cron jobs and no bash history. shell is 'jailshell' `lsof -np $pid' says the CWD is /home/user/tmp but the only contents are the usual stats directories.
ls -a ./ ../ analog/ awstats/ cpbandwidth/ logaholic/ webalizer/ webalizerftp
Other info from that command I'm not sure how to interpret:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cache.sh 708475 username cwd DIR 9,2 4096 17064158 /home/username/tmp cache.sh 708475 username rtd DIR 9,7 4096 529789 / cache.sh 708475 username txt REG 9,2 1434496 17057782 (deleted)/home/username/tmp/cache.sh cache.sh 708475 username mem REG 9,1 1924768 286822 /lib64/libc-2.12.so cache.sh 708475 username mem REG 9,1 596864 287058 /lib64/libm-2.12.so cache.sh 708475 username mem REG 9,1 44472 287112 /lib64/librt-2.12.so cache.sh 708475 username mem REG 9,1 143280 287101 /lib64/libpthread-2.12.so cache.sh 708475 username mem REG 9,1 159312 286733 /lib64/ld-2.12.so cache.sh 708475 username 0r CHR 1,3 0t0 530441 /dev/null cache.sh 708475 username 1w CHR 1,3 0t0 530441 /dev/null cache.sh 708475 username 2w REG 9,6 316063411 3934381 (deleted)/var/log/apache2/error_log.bkup cache.sh 708475 username 3u REG 9,2 0 17057766 (deleted)/tmp/ZCUDEhT43K cache.sh 708475 username 4u IPv4 564620419 0t0 TCP XXXXXXXX:36491->139.162.196.236:http (ESTABLISHED) cache.sh 708475 username 6u CHR 1,3 0t0 530441 /dev/null cache.sh 708475 username 7u unix 0xffff880de4810100 0t0 564620406 /var/run/mod_lsapi/lsapi_application-x-httpd-ea-php56___lsphp_909_domain.tv.sock cache.sh 708475 username 1744w REG 9,6 5319505 3933830 /var/log/apache2/sulsphp_log
0
cPWilliamL

October 16, 2017 20:14
You may want to reach out to your host or system administrator to check further. You can open a ticket with us, but we mainly offer support with cPanel related issued; although, we will perform a basic investigation as a courtesy. The `lsof' command just checks the processes file descriptors or "open files". The Apache connection, as well as the lsphp socket, is concerning. PHP generally shouldn't be executing bash scripts. If this user hasn't logged in, has no cron jobs, and this is process continualy reappears, I would check PHP requests in the domain logs around the time the process started, as well as any persistent processes under the same username. You may also check for requests made from the IP referenced in the `lsof' output.
0
kernow

October 16, 2017 22:08
Thanks for your suggestions, appreciated.
0
cPanelMichael

November 20, 2017 20:30
Also having the same problem, a user walks 99% CPU with the command ./cache.sh

Hello, You may want to review the account's home directory to see if a file matching that name exists, and if so, review the contents of the file to determine it's purpose. Thank you.
0
Vincenzo Ferrara

June 26, 2018 14:47
I have the same problem. I think the cache.sh file is a cryptocurrency mining. I can not solve it in any way. how can I do?
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?