Results 1 to 6 of 6
  1. #1

    Huge loads, tons of CROND, what's up?

    Any ideas what's going on with this server? Over the past two days it keeps climbing in load until eventually it stops functioning (load average 400-800). ps shows hundreds of copies of "CROND" and now a couple weird ssh lines.. .here's a snippet:

    Code:
    sshd      5420  0.0  0.1  5032 1324 ?        S    13:32   0:00 sshd: unknown [net]
    root      5421  0.0  0.1  5668 1632 ?        D    13:32   0:00 sshd: unknown [priv]
    sshd      5422  0.0  0.1  5032 1324 ?        S    13:32   0:00 sshd: unknown [net]
    root      5424  0.0  0.1  5668 1632 ?        D    13:32   0:00 sshd: unknown [priv]
    sshd      5425  0.0  0.1  5032 1324 ?        S    13:32   0:00 sshd: unknown [net]
    root      5426  0.0  0.1  5668 1632 ?        D    13:32   0:00 sshd: unknown [priv]
    sshd      5427  0.0  0.1  5032 1324 ?        S    13:32   0:00 sshd: unknown [net]
    root      5428  0.0  0.1  5668 1628 ?        D    13:32   0:00 sshd: unknown [priv]
    sshd      5429  0.0  0.1  5032 1324 ?        S    13:32   0:00 sshd: unknown [net]
    root      5430  0.0  0.0  1616  620 ?        S    13:33   0:00 CROND
    root      5431  0.0  0.0  1612  620 ?        D    13:33   0:00 CROND
    root      5438  0.0  0.0  1616  620 ?        S    13:34   0:00 CROND
    root      5439  0.0  0.0  1612  620 ?        D    13:34   0:00 CROND
    root      5449  0.0  0.0  1616  620 ?        S    13:35   0:00 CROND
    root      5450  0.0  0.0  1612  620 ?        D    13:35   0:00 CROND
    root      5451  0.0  0.0  1616  620 ?        S    13:35   0:00 CROND
    root      5452  0.0  0.0  1612  620 ?        D    13:35   0:00 CROND
    root      5458  0.0  0.0  1616  620 ?        S    13:36   0:00 CROND
    root      5459  0.0  0.0  1612  620 ?        D    13:36   0:00 CROND
    root      5481  0.0  0.0  1616  620 ?        S    13:37   0:00 CROND
    root      5482  0.0  0.0  1612  620 ?        D    13:37   0:00 CROND
    root      5501  0.0  0.0  1616  620 ?        S    13:38   0:00 CROND
    root      5502  0.0  0.0  1612  620 ?        D    13:38   0:00 CROND
    root      5503  0.0  0.0  1616  620 ?        S    13:39   0:00 CROND
    root      5504  0.0  0.0  1612  620 ?        D    13:39   0:00 CROND
    root      5519  0.0  0.0  1616  620 ?        S    13:40   0:00 CROND
    root      5520  0.0  0.0  1612  620 ?        D    13:40   0:00 CROND
    root      5521  0.0  0.0  1616  620 ?        S    13:40   0:00 CROND
    I can't figure out what's spawning all those "CROND" processes (or how to kill them), what the "ssh" processes with no usernames or hosts mean (nothing shows on netstat except my own connection and some HTTP connections on port 80 from website users).

    If I attempt to run crontab it just hangs the server entirely, even though there's nothing on my only user's crontab except synching time with a time server every once in a while.
    Dan Grossman - dan @ awio.com
    My Blog | Affiliate Program for Web Hosts

  2. #2
    Join Date
    Jun 2003
    Location
    Texas
    Posts
    453
    Do you have any crons that run every minute or so? could just be hanging and not exiting
    ................

  3. #3
    I'll go through all the users and check. Still curious about the sshd processes without users...

    Luckily this is just a kind of 'throwaway' box... a server I no longer have any important sites on that's just running a few projects and development apps.
    Dan Grossman - dan @ awio.com
    My Blog | Affiliate Program for Web Hosts

  4. #4
    Eh, figured that out. Not sure which process on cron was hanging but the reason for the strange sshd processes is simple. Once the load was high enough, ssh would hang trying to authenticate a login, so those processes were those hung login attempts. Which is normal since brute force attacks are relentless.
    Dan Grossman - dan @ awio.com
    My Blog | Affiliate Program for Web Hosts

  5. #5
    The sshd without user is getting "bruteforce" you might want to install something to limit the password retries.

    As for crond you can read the /var/log/cron logs

    The cron processes gets generated when it is back up during high load or during high IO.
    Psychz Networks - Enterprise Servers & Data Center Professionals
    ★24/7 On-Site Support - Premium Server Hardware
    ★Facilities: Los Angeles, CA - Dallas, TX | Tier-4 Data Centers
    ★Dedicated Servers - Colocation - Psychz DDoS-Shield™ On-Premise Mitigation

  6. #6
    Quote Originally Posted by clanosiris
    The sshd without user is getting "bruteforce" you might want to install something to limit the password retries.
    I have, it just doesn't work at all when the load is 832.
    Dan Grossman - dan @ awio.com
    My Blog | Affiliate Program for Web Hosts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •