0

Wondering if anyone know's why the processes below are taking up some much CPU resources on my Ubuntu apache server.

  • 100% /usr/sbin/acpi
  • 71% /usr/local/apa
  • 68% /sbin/syslogd
  • 66% /usr/sbin/cron
  • 59% /sbin/klogd

If I run strace on most of the processes I see

select(8, [3], NULL, NULL, {0, 0}) = 0 (Timeout)

Once I stop the process the CPU usage goes back to normal but after an hour our so everything starts maxing out again.

I haven't setup anything in the cron for this server. So not sure exactly what the cron is doing.

I am using Ubuntu 12.04.

sebix
  • 4,313
  • 2
  • 29
  • 47
Dylan D
  • 1
  • 1
  • With such a usage of rsyslogd and klogd I guess your system is logging LOTs of things. Please can you check your log files and report us accordingly? Also, what's exactly /usr/local/apa? – Damiano Verzulli Jun 28 '15 at 17:07
  • Great question lol.. I'll checkout both and get back to you. – Dylan D Jun 28 '15 at 17:22
  • While trying to figure out what select(8, [3], NULL, NULL, {0, 0}) = 0 (Timeout) I ran lsof -p {acpi process id} -ad 3 and got /usr/sbin 21798 www-data 3u IPv4 10901916 0t0 TCP ip-10-169-241-28.ec2.internal:46985->li498-11.members.linode.com:ircd (CLOSE_WAIT) So it looks like it getting caught up on this? Not sure why my server is calling linode.com.. I'm starting to think I've been hacked or something. – Dylan D Jun 28 '15 at 17:23
  • +1: if /usr/bin/acpi is making IRC connection and use 100% of CPU time, you can bet you've "guests" inside your system. Anyway, still wondering what it's logging. Ad for "apa", do you know what's doing? – Damiano Verzulli Jun 28 '15 at 17:28
  • Here is what I got running Ad on apa /usr/loca 17661 www-data 3u IPv4 10903990 0t0 TCP ip-10-169-241-28.ec2.internal:42538->ns313760.ovh.net:ircd (ESTABLISHED) – Dylan D Jun 28 '15 at 17:40
  • "irc", again. That's surely the time to check this post: http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Damiano Verzulli Jun 28 '15 at 18:54
  • Yup sounds like you've been hacked and may be running some botnet clients controlled through irc channels. Since they run as www-data sounds like some web site you have got compromised (any wordpress there?). Btw, those command lines are probably fake, those botnet clients just rewrote $ARGV[0] to confuse you. – Dan Jun 28 '15 at 18:57
  • Yeah...... It's not good.. I've discovered it's pretty much a total compromise.. Thanks for your help guys. I've got some work to do. – Dylan D Jun 28 '15 at 21:01
  • It was a Magento shop btw. – Dylan D Jun 28 '15 at 21:01

0 Answers0