Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : why User root is running process httpd all time?

[papiandy]

Hi ... I usually use the "top" command to see what is happening in my server ... Normally everything is OK untill one week ago I start so see this process:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1115 root 20 0 10768 10m 164 R 26 0.5 46:17.27 httpd


Is the number 1 on the top list using a lot of CPU and MEM (as I say before ... I never have seen this command in the past)

So when I kill the process everything goes fine but only for a few minutes and then is comming back

any ideas ?
Thks a lot guys !

[mugo]

This is normal, is used to grab port 80 and fork, among other reasons.
This is what your initial httpd process runs as.
You'll always see 1 owned by root.

[foobic]

It's normal to see one (and only one) httpd process running as root but it's not normal to see it using a lot of resources. Assuming 1115 is still the pid, try

Code:

cat /proc/1115/cmdline

[mugo]

Your CPU is a little high, but .5% Mem isn't a lot.
If your server is busy, this could be normal...how many active connections do you have when the cpu is this high?

[inspiron]

Yes, your CPU load seems to be high, You can check active connection by using the
following command,

#netstat -an | grep :80 | sort

This command output will show only the active internet connection to your server
at port 80 and sort the results.

[mugo]

For all active, add
|grep ESTAB
onto that

[whrss2]

Apache(httpd) would run under the user you specify it to. This can be changed under the Apache configuration file "%apacheroot%/conf/httpd.conf"


You could use these commands to know :

1. Which server IP address is getting these connections.

netstat -ntu | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n|tail -n 5
(ipv4)
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n
(ipv6)

2. This would tell you which all IP addresses are currently connected/connecting to your web server.

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n

Hope this helps out...

[mugo]

That reminds me, I need to get my Sherman tank cleaned...goin' deer hunting tomorrow...

[papiandy]

Thks everybody for u help

I got this result with the next commands:
# netstat -an |grep :80 |wc -l
1506

# netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
13 CLOSE_WAIT
2 CLOSING
273 ESTABLISHED
18 FIN_WAIT1
4 FIN_WAIT2
177 LISTEN
38 SYN_RECV
1558 TIME_WAIT

With the command to see all ips are connectes to my server (netstat -plan|grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n) only going to put the last 9 results wich are:

18 0.0.0.0
23 208.53.131.169
24 189.147.148.190
7 115.132.61.130
7 189.163.242.1
7 189.164.59.196
7 66.98.25.235
8 83.35.141.168
10 200.67.219.247
18 0.0.0.0
36 208.53.131.169
66 189.189.134.240


According to my WHM Apache stats I got this:
Current Time: Friday, 03-Jul-2009 11:26:08 CDT
Restart Time: Thursday, 02-Jul-2009 14:31:46 CDT
Parent Server Generation: 0
Server uptime: 20 hours 54 minutes 22 seconds
Total accesses: 1856619 - Total Traffic: 4.3 GB
CPU Usage: u7.16 s6.24 cu154.85 cs0 - .224% CPU load
24.7 requests/sec - 60.1 kB/second - 2493 B/request
14 requests currently being processed, 16 idle workers

_C___..C._WC___CC_CC.CCC_C.._.____WC............._..............
................................................................
................................................................
................................................................


So is it all information good?
Thks

[Winstyn]

Seems pretty nominal overall. Maybe the CPU usage is due to disk I/O?

[ramnet]

Quote:

Originally Posted by bryan_tong

Seems pretty nominal overall. Maybe the CPU usage is due to disk I/O?

That is very likely since the httpd process is responsible for access and error logging too - and it is not really efficient to have the system do a write on every read - (extfs used to have this issue before noatime and relatime, the httpd issue is similar but not quite as bad).

You might want to consider piping your access logging to another program that will buffer your logs a little so they aren't so disk-intensive.

[papiandy]

I Think u rigth ...
My error log is about 11Gb and it's getting bigger and bigger every second

MY access log is 26Mb so I think is a lot of difference between error log and access log
The question is what can I do for fix this

[Winstyn]

Well you can start by truncating the error log to at least 20mbs or less.

11gbs is a lot. The other thing to do would be to check what the error is. It might be something that is continually repeating due to a bad server configuration.

Try doing a tail -f on it and see how often its spiting out errors.

This is most likely the reason for the cpu though if its throwing 100 erros/sec.

[ramnet]

Quote:

Originally Posted by bryan_tong

Well you can start by truncating the error log to at least 20mbs or less.

11gbs is a lot. The other thing to do would be to check what the error is. It might be something that is continually repeating due to a bad server configuration.

Try doing a tail -f on it and see how often its spiting out errors.

This is most likely the reason for the cpu though if its throwing 100 erros/sec.

Agreed. Also check and make sure your site isn't generating lot's of 404 not found errors - things like /favicon.ico are very bad at doing that.

Also, if you haven't got it already, you might consider setting up logrotate to automatically archive your old logs so you don't get massive logs like this (that may be beyond what you are able to do however)

[whrss]

As you know 0-1024 are reserved logical ports. If you need to open a reserved port, you need to be the super user.

That is why you see the first http process running under 'root'. This process will not accept any tcp connections and i responsible only for opening port 80.