last night my server load went crazy (100+), alot of instances of PERL were showing in TOP, I also noticed the GET command and instances of LWP-DOWNLOAD , I googled LWP-DOWNLOAD and it seems to be a perl script for download large files, which I was not doing, I only host my own sites and a few friends, noone has ssh but me
I opened a tk with my server co, they said they found a script running in TMP, disabled it and said they hardened the TMP folder (although I just had this done by 2 other server admin co's in the last few weeks)
no load problems tonight but I see another instance of LWP-DOWNLOAD while viewing top, is this something normal in the server or do I need to have an admin dig deeper and see whats going on?
As you mentioned, lwp-download is used to fetch large files from the web.
You would need to check if any particular user or script is running the instances of lwp-download. Server updates would also be using lwp-download for fetching the updates, and that is normal. Even in such a case, the update can get stuck at any point(for example, when running out of mirrors), which in turn can cause load on the server.
If you already found malicious or suspicious scripts running from /tmp, it would always be good to dig deeper and make sure the source or any other vulnerabilty is completely removed.
SupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support
I agree with logicsupport, at this point you'll want to make sure this isn't a malicious script. The /usr/bin/lwp-download is the command being used. What you want to find out is what's calling that program, and why.