Results 1 to 11 of 11
  1. #1

    High server load, top process is /bsd/?

    Hello all, I have a VPS with only a few domains hosted on it, and until now has been really good in terms of server load. But I just noticed that my server load is at 4.36, and I logged into the WHM to check the top processes and it shows the top 2 as /bsd/. One is at 95.4% and the other is at 95.3%.

    What is that and how do I fix it?

    Also, what is the command to check the top processes to find out what users account the high resource usage is coming from? Or, is there a better way of doing it?

    Thanks in advance!

  2. #2
    It's going back down now, it's at 2.24, so it's getting better. But, I would still like to know how to check which user is causing the high server load.

  3. #3
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Hello,

    You can try the following command to see what process and commands are currently running... "top -c" which will list the user and command being run.

  4. #4
    It says the user "nobody" is using about 90% of the CPU with the command /bsd/.

  5. #5
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Hello,

    If you could please copy your whole entire printout of "top -c". Thanks

  6. #6
    PID USER PR NI %CPU TIME+ %MEM VIRT RES SHR S COMMAND
    28105 nobody 25 0 100 916:27.85 0.3 7276 4304 1088 R /bsd/
    23950 root 17 0 0 0:00.04 0.1 2548 1008 788 R top -c
    1 root 16 0 0 0:10.13 0.0 2964 592 508 S init [3]
    24401 root 17 0 0 0:00.02 0.1 2824 788 664 S xinetd -stayalive -
    24466 dbus 16 0 0 0:00.00 0.1 3304 924 788 S dbus-daemon-1 --sys
    28092 root 16 0 0 0:47.48 0.1 4112 1044 840 S /usr/sbin/sshd
    9850 root 15 0 0 0:04.38 0.1 4256 920 524 S crond
    7621 root 16 0 0 0:45.75 0.0 3464 524 436 S syslogd -m 0
    8043 root 16 0 0 0:07.74 0.1 5916 1388 1084 S pure-ftpd (SERVER)
    8046 root 15 0 0 0:04.21 0.1 4076 932 732 S /usr/sbin/pure-auth
    30611 named 21 0 0 3:22.36 0.5 74840 8008 1924 S /usr/sbin/named -u
    17436 root 16 0 0 0:00.01 0.1 3404 1120 948 S /bin/sh /usr/bin/my
    17458 mysql 15 0 0 1168:30 1.4 114m 21m 4440 S /usr/sbin/mysqld --
    3729 root 16 0 0 0:29.37 0.6 34916 9344 3908 S /usr/local/apache/b
    26316 root 16 0 0 0:31.56 6.3 130m 96m 940 S /usr/sbin/clamd
    26322 mailnull 16 0 0 0:00.70 0.1 7844 2032 1612 S /usr/sbin/exim -bd
    26332 mailnull 16 0 0 0:00.04 0.1 7724 1992 1592 S /usr/sbin/exim -tls
    [root@server ~]# 28105 nobody 25 0 100 916:27.85 0.3 7276 4304 1088 R /bsd/
    23950 root 17 0 0 0:00.04 0.1 2548 1008 788 R top -c
    1 root 16 0 0 0:10.13 0.0 2964 592 508 S init [3]
    24401 root 17 0 0 0:00.02 0.1 2824 788 664 S xinetd -stayalive -
    24466 dbus 16 0 0 0:00.00 0.1 3304 924 788 S dbus-daemon-1 --sys
    28092 root 16 0 0 0:47.48 0.1 4112 1044 840 S /usr/sbin/sshd
    9850 root 15 0 0 0:04.38 0.1 4256 920 524 S crond
    7621 root 16 0 0 0:45.75 0.0 3464 524 436 S syslogd -m 0
    8043 root 16 0 0 0:07.74 0.1 5916 1388 1084 S pure-ftpd (SERVER)
    8046 root 15 0 0 0:04.21 0.1 4076 932 732 S /usr/sbin/pure-auth
    30611 named 21 0 0 3:22.36 0.5 74840 8008 1924 S /usr/sbin/named -u
    17436 root 16 0 0 0:00.01 0.1 3404 1120 948 S /bin/sh /usr/bin/my
    17458 mysql 15 0 0 1168:30 1.4 114m 21m 4440 S /usr/sbin/mysqld --
    3729 root 16 0 0 0:29.37 0.6 34916 9344 3908 S /usr/local/apache/b
    26316 root 16 0 0 0:31.56 6.3 130m 96m 940 S /usr/sbin/clamd
    26322 mailnull 16 0 0 0:00.70 0.1 7844 2032 1612 S /usr/sbin/exim -bd
    26332 mailnull 16 0 0 0:00.04 0.1 7724 1992 1592 S /usr/sbin/exim -tls

  7. #7
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    The other thing I want to see is free -m and let me know the output on that.

  8. #8
    [root@server ~]# free -m
    total used free shared buffers cached
    Mem: 1536 352 1183 0 0 0
    -/+ buffers/cache: 352 1183
    Swap: 0 0 0
    [root@server ~]#

  9. #9
    Join Date
    Dec 2006
    Location
    California
    Posts
    20
    /bsd/ is some sort of exploit that is running. Usually the ones with a higher CPU like that are sending out floods or brute forcing. You should kill it immediately and check your http logs to see exactly what script was compromised. You should follow up by running chrootkit, rkhunter, etc. I would definitely recommend contacting your hosting and telling them about it to see if they will help you secure/repair everything.

  10. #10
    EDIT: I killed the process, but I didnt trace it first. I'll have to keep an eye on it and see if it comes back, then trace it first.

    The tech support where I got the VPS is very slow at times, it could be tomorrow beofre I hear back from them.

  11. #11
    Join Date
    Dec 2007
    Posts
    271
    I had a very similar problem on my server. I used tweak settings to require all outgoing mail to use authentication. This pretty much killed send mail but I helped my clients setup their PHP apps to use authentication to e-mail members and now everything has been smooth for over a week.

    The first tell tale I say was a huge amount of relayed mail going out from the account nobody. tens of thousands per day.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •