Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th June 2012, 14:36
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
Default CPU usage

I have a huge cpu usage on PERL? What could be causing this?

Quote:
13799 www-data 20 0 4720 2408 980 R 99 0.1 3958:33 perl
Reply With Quote
Sponsored Links
  #2  
Old 24th June 2012, 16:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Its a perl script running in one of your websites.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 26th June 2012, 12:51
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
Default

Is there a way to find out which script is causing this?
Reply With Quote
  #4  
Old 4th July 2012, 20:15
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
Default

klogd -x is eating my CPU.
What can I do about it?

Quote:
32131 www-data 20 0 4720 2336 912 R 101 0.1 93:06.68 klogd -x
Reply With Quote
  #5  
Old 5th July 2012, 09:28
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Try to find the program file with the find command, I guess it must be somwhere in /var/www or /tmp (not in /usr or other system directories). This is most likely a hcked or trojan script that uses the name of a common Linux application (klogd) to hide itself. But the real klogd would never run as www-data, so this fake program must be somewhere in one of your sites or in the tmp folder.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 5th July 2012, 12:40
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
Default

Till,
Tnx when the CPU is high again will try fo FIND it. (with "FIND KLOGD" right?)

Btw when I reboot the server the high usage and the klogd is stopped.
Reply With Quote
  #7  
Old 5th July 2012, 17:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Linux is case sensitive, so the find command as well as the name of the application have to be in lowercase. See:

man find

for all options of the find command.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 18th July 2012, 06:51
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
Default

Tried to find klogd but
"find: `klogd': No such file or directory"

This issue is not always running, 1 per 2 weeks this issue is there.
Reply With Quote
  #9  
Old 18th July 2012, 10:20
cfoe cfoe is offline
ISPConfig Developer
 
Join Date: Oct 2011
Location: NRW, Germany
Posts: 233
Thanks: 27
Thanked 57 Times in 32 Posts
Send a message via Skype™ to cfoe
Default

Quote:
Originally Posted by skoena View Post
Tried to find klogd but
"find: `klogd': No such file or directory"

This issue is not always running, 1 per 2 weeks this issue is there.
if it is malware then there is some kind of vulnerability to let it get uploaded and started. When you restart the process is not run on startup but the vulnerability is still there. It might be exploited again when the "hacker" realizes it is not running anymore.
__________________
Christian Foellmann

OpenSource-Projects - GitHub-Projects - SVN-Mirrors on GitHub - Foe Services
Reply With Quote
  #10  
Old 18th July 2012, 10:27
skoena skoena is offline
Senior Member
 
Join Date: Sep 2009
Location: Emmen, Netherlands
Posts: 421
Thanks: 77
Thanked 14 Times in 12 Posts
Send a message via MSN to skoena Send a message via Skype™ to skoena
 
Default

Tnx.
Any tips for locating the script that is causing this?
Because "find klogd" is not working.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mysqld + php-cgi cpu usage mjnet Installation/Configuration 0 28th December 2011 10:49
Ubuntu + Raid ERROR guimnk Kernel Questions 3 13th May 2011 05:35
getting cpu usage per user martien Programming/Scripts 6 1st April 2009 01:12
Squid Proxy Caching on Linux obzerver Installation/Configuration 4 13th August 2008 19:51
Server sometimes (1 or 2 hrs) down :/ edge Server Operation 25 31st July 2006 13:44


All times are GMT +2. The time now is 23:49.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.