Results 1 to 11 of 11
-
01-27-2008, 10:48 PM #1Disabled
- Join Date
- Dec 2004
- Posts
- 445
High server load, top process is /bsd/?
Hello all, I have a VPS with only a few domains hosted on it, and until now has been really good in terms of server load. But I just noticed that my server load is at 4.36, and I logged into the WHM to check the top processes and it shows the top 2 as /bsd/. One is at 95.4% and the other is at 95.3%.
What is that and how do I fix it?
Also, what is the command to check the top processes to find out what users account the high resource usage is coming from? Or, is there a better way of doing it?
Thanks in advance!
-
01-27-2008, 10:57 PM #2Disabled
- Join Date
- Dec 2004
- Posts
- 445
It's going back down now, it's at 2.24, so it's getting better. But, I would still like to know how to check which user is causing the high server load.
-
01-28-2008, 12:44 AM #3Web Hosting Master
- Join Date
- Jan 2003
- Location
- U.S.A.
- Posts
- 3,928
Hello,
You can try the following command to see what process and commands are currently running... "top -c" which will list the user and command being run.
-
01-28-2008, 12:51 AM #4Disabled
- Join Date
- Dec 2004
- Posts
- 445
It says the user "nobody" is using about 90% of the CPU with the command /bsd/.
-
01-28-2008, 12:59 AM #5Web Hosting Master
- Join Date
- Jan 2003
- Location
- U.S.A.
- Posts
- 3,928
Hello,
If you could please copy your whole entire printout of "top -c". Thanks
-
01-28-2008, 01:09 AM #6Disabled
- Join Date
- Dec 2004
- Posts
- 445
PID USER PR NI %CPU TIME+ %MEM VIRT RES SHR S COMMAND
28105 nobody 25 0 100 916:27.85 0.3 7276 4304 1088 R /bsd/
23950 root 17 0 0 0:00.04 0.1 2548 1008 788 R top -c
1 root 16 0 0 0:10.13 0.0 2964 592 508 S init [3]
24401 root 17 0 0 0:00.02 0.1 2824 788 664 S xinetd -stayalive -
24466 dbus 16 0 0 0:00.00 0.1 3304 924 788 S dbus-daemon-1 --sys
28092 root 16 0 0 0:47.48 0.1 4112 1044 840 S /usr/sbin/sshd
9850 root 15 0 0 0:04.38 0.1 4256 920 524 S crond
7621 root 16 0 0 0:45.75 0.0 3464 524 436 S syslogd -m 0
8043 root 16 0 0 0:07.74 0.1 5916 1388 1084 S pure-ftpd (SERVER)
8046 root 15 0 0 0:04.21 0.1 4076 932 732 S /usr/sbin/pure-auth
30611 named 21 0 0 3:22.36 0.5 74840 8008 1924 S /usr/sbin/named -u
17436 root 16 0 0 0:00.01 0.1 3404 1120 948 S /bin/sh /usr/bin/my
17458 mysql 15 0 0 1168:30 1.4 114m 21m 4440 S /usr/sbin/mysqld --
3729 root 16 0 0 0:29.37 0.6 34916 9344 3908 S /usr/local/apache/b
26316 root 16 0 0 0:31.56 6.3 130m 96m 940 S /usr/sbin/clamd
26322 mailnull 16 0 0 0:00.70 0.1 7844 2032 1612 S /usr/sbin/exim -bd
26332 mailnull 16 0 0 0:00.04 0.1 7724 1992 1592 S /usr/sbin/exim -tls
[root@server ~]# 28105 nobody 25 0 100 916:27.85 0.3 7276 4304 1088 R /bsd/
23950 root 17 0 0 0:00.04 0.1 2548 1008 788 R top -c
1 root 16 0 0 0:10.13 0.0 2964 592 508 S init [3]
24401 root 17 0 0 0:00.02 0.1 2824 788 664 S xinetd -stayalive -
24466 dbus 16 0 0 0:00.00 0.1 3304 924 788 S dbus-daemon-1 --sys
28092 root 16 0 0 0:47.48 0.1 4112 1044 840 S /usr/sbin/sshd
9850 root 15 0 0 0:04.38 0.1 4256 920 524 S crond
7621 root 16 0 0 0:45.75 0.0 3464 524 436 S syslogd -m 0
8043 root 16 0 0 0:07.74 0.1 5916 1388 1084 S pure-ftpd (SERVER)
8046 root 15 0 0 0:04.21 0.1 4076 932 732 S /usr/sbin/pure-auth
30611 named 21 0 0 3:22.36 0.5 74840 8008 1924 S /usr/sbin/named -u
17436 root 16 0 0 0:00.01 0.1 3404 1120 948 S /bin/sh /usr/bin/my
17458 mysql 15 0 0 1168:30 1.4 114m 21m 4440 S /usr/sbin/mysqld --
3729 root 16 0 0 0:29.37 0.6 34916 9344 3908 S /usr/local/apache/b
26316 root 16 0 0 0:31.56 6.3 130m 96m 940 S /usr/sbin/clamd
26322 mailnull 16 0 0 0:00.70 0.1 7844 2032 1612 S /usr/sbin/exim -bd
26332 mailnull 16 0 0 0:00.04 0.1 7724 1992 1592 S /usr/sbin/exim -tls
-
01-28-2008, 01:17 AM #7Web Hosting Master
- Join Date
- Jan 2003
- Location
- U.S.A.
- Posts
- 3,928
The other thing I want to see is free -m and let me know the output on that.
-
01-28-2008, 01:21 AM #8Disabled
- Join Date
- Dec 2004
- Posts
- 445
[root@server ~]# free -m
total used free shared buffers cached
Mem: 1536 352 1183 0 0 0
-/+ buffers/cache: 352 1183
Swap: 0 0 0
[root@server ~]#
-
01-28-2008, 01:52 AM #9Newbie
- Join Date
- Dec 2006
- Location
- California
- Posts
- 20
/bsd/ is some sort of exploit that is running. Usually the ones with a higher CPU like that are sending out floods or brute forcing. You should kill it immediately and check your http logs to see exactly what script was compromised. You should follow up by running chrootkit, rkhunter, etc. I would definitely recommend contacting your hosting and telling them about it to see if they will help you secure/repair everything.
-
01-28-2008, 02:13 AM #10Disabled
- Join Date
- Dec 2004
- Posts
- 445
EDIT: I killed the process, but I didnt trace it first. I'll have to keep an eye on it and see if it comes back, then trace it first.
The tech support where I got the VPS is very slow at times, it could be tomorrow beofre I hear back from them.
-
01-28-2008, 01:28 PM #11Web Hosting Guru
- Join Date
- Dec 2007
- Posts
- 271
I had a very similar problem on my server. I used tweak settings to require all outgoing mail to use authentication. This pretty much killed send mail but I helped my clients setup their PHP apps to use authentication to e-mail members and now everything has been smooth for over a week.
The first tell tale I say was a huge amount of relayed mail going out from the account nobody. tens of thousands per day.