CPU usage

Discussion in 'General' started by skoena, Jun 24, 2012.

  1. skoena

    skoena Member

    I have a huge cpu usage on PERL? What could be causing this?

     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Its a perl script running in one of your websites.
     
  3. skoena

    skoena Member

    Is there a way to find out which script is causing this?
     
  4. skoena

    skoena Member

    klogd -x is eating my CPU.
    What can I do about it?

     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to find the program file with the find command, I guess it must be somwhere in /var/www or /tmp (not in /usr or other system directories). This is most likely a hcked or trojan script that uses the name of a common Linux application (klogd) to hide itself. But the real klogd would never run as www-data, so this fake program must be somewhere in one of your sites or in the tmp folder.
     
  6. skoena

    skoena Member

    Till,
    Tnx when the CPU is high again will try fo FIND it. (with "FIND KLOGD" right?)

    Btw when I reboot the server the high usage and the klogd is stopped.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Linux is case sensitive, so the find command as well as the name of the application have to be in lowercase. See:

    man find

    for all options of the find command.
     
  8. skoena

    skoena Member

    Tried to find klogd but
    "find: `klogd': No such file or directory"

    This issue is not always running, 1 per 2 weeks this issue is there.
     
  9. cfoe

    cfoe ISPConfig Developer ISPConfig Developer

    if it is malware then there is some kind of vulnerability to let it get uploaded and started. When you restart the process is not run on startup but the vulnerability is still there. It might be exploited again when the "hacker" realizes it is not running anymore.
     
  10. skoena

    skoena Member

    Tnx.
    Any tips for locating the script that is causing this?
    Because "find klogd" is not working.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have suexec enabled in all websites as recommended? When suexec is on, then the scripts of each website run under the user of the website so that you can locate the website which causes the issues by the username of the user that runs the script.
     
  12. skoena

    skoena Member

    I enabled suexec for all sites but still I get this:

     
  13. skoena

    skoena Member

    I'm still experiencing issues with KLOGD and hihg CPU usage.
    Anybody tips for me?
     

Share This Page