1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Memory Issues

Discussion in 'Plesk for Linux - 8.x and Older' started by omegauser, Feb 14, 2006.

  1. omegauser

    omegauser Guest

    0
     
    Hi, look at memory usage>
    top - 20:59:56 up 21 days, 8:31, 3 users, load average: 13.41, 14.01, 16.24
    Tasks: 170 total, 14 running, 150 sleeping, 4 stopped, 2 zombie
    Cpu(s): 99.3% us, 0.7% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
    Mem: 509040k total, 490420k used, 18620k free, 34296k buffers
    Swap: 1044216k total, 21244k used, 1022972k free, 90856k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    4565 root 25 0 6156 1544 5452 R 10.3 0.3 445:58.31 autoresponder
    4637 root 25 0 10872 4268 5452 R 10.3 0.8 445:57.98 autoresponder
    4553 root 25 0 7016 1544 5452 R 9.6 0.3 445:58.35 autoresponder
    22622 qmaild 25 0 4552 1348 3216 R 8.3 0.3 3:43.17 qmail-smtpd
    21785 root 25 0 6116 1376 5452 R 6.9 0.3 4178:16 autoresponder
    19429 root 25 0 6120 1548 5452 R 6.9 0.3 2587:21 autoresponder
    7897 root 25 0 7164 1548 5452 R 6.9 0.3 1219:13 autoresponder
    28971 root 25 0 6764 1548 5452 R 6.9 0.3 616:58.87 autoresponder
    32767 root 25 0 10740 4264 5452 R 6.9 0.8 553:58.03 autoresponder
    4586 root 25 0 6812 1548 5452 R 6.9 0.3 445:58.11 autoresponder
    25563 qmaild 25 0 5020 1344 3216 R 6.9 0.3 1:20.37 qmail-smtpd
    26488 qmaild 25 0 4184 1352 3216 R 6.9 0.3 0:16.03 qmail-smtpd
    4559 root 25 0 7196 1556 5452 R 6.6 0.3 445:58.27 autoresponder
    26650 root 17 0 3144 972 1620 R 1.0 0.2 0:00.25 top
    26661 root 16 0 7144 2020 5640 S 0.7 0.4 0:00.02 sshd
    1 root 16 0 3084 460 1316 S 0.0 0.1 0:11.91 init
    2 root 34 19 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/0
    3 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/0
    4 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
    6 root 7 -10 0 0 0 S 0.0 0.0 0:00.01 khelper
    5 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
    7 root 15 0 0 0 0 S 0.0 0.0 0:06.40 pdflush
    8 root 15 0 0 0 0 S 0.0 0.0 0:00.15 pdflush
    10 root 12 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
    9 root 15 0 0 0 0 S 0.0 0.0 0:02.81 kswapd0
    113 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
    147 root 15 0 0 0 0 S 0.0 0.0 3:12.49 kjournald
    1024 root 15 0 0 0 0 S 0.0 0.0 0:00.00 kjournald
    1417 root 16 0 2820 588 1296 S 0.0 0.1 4:52.64 syslogd
    1421 root 16 0 2392 436 1244 S 0.0 0.1 0:00.00 klogd
    1447 rpc 16 0 2860 612 1372 S 0.0 0.1 0:00.00 portmap
    1466 rpcuser 18 0 1744 712 1380 S 0.0 0.1 0:00.00 rpc.statd
    1492 root 16 0 2476 572 1296 S 0.0 0.1 0:00.07 rpc.idmapd
    1579 root 15 0 2580 744 1368 S 0.0 0.1 0:00.04 smartd

    I want to know whats that autoresponder command from root! is eating my memory, how do I stop it?
     
  2. gearhead

    gearhead Guest

    0
     
    If YOU dont know what the autoresponder command is.
    Sounds like someone has hacked in and using your machine as an autoresponder? running as root, so no virtual hosts are doing it?
     
  3. wagnerch

    wagnerch Guest

    0
     
    Memory is not your problem, your CPU is pegged 99.3% user. I would agree that this autoresponder process is very unusual and it is possible your server has been hacked.

    I doubt it is a genuine autoresponder of any kind.
     
  4. alexgd

    alexgd Guest

    0
     
    I have some problem like this

    I have some problem like this

    in this case the process is apache

    when I use TOP with option c (command line) and H (threads) and appears the normal process

    APACHE using command /usr/bin/httpd

    but appears another process

    APACHE using command Inetd

    and the CPU ussing 98% of CPU when inetd running apache

    I kill all the process using Kill -9 PID

    I usng a script and put in cron tab that every minute chechk if the process exist and kill

    BUT THE QUESTION IS?
    HOW I CAN KNOW WHO USER INVOKE THE PROCESS?
    WHO PROGRAM INVOKE THE PROCESS TO DELETE IT?
     
  5. wagnerch

    wagnerch Guest

    0
     
    Again, your server is probably hacked. If you don't know how to fix it then I suggest reimaging your server, applying all of the patches, and then validate each domain's software before reloading them.

    Also considering installing ModSecurity, and verify what services need to be running (chkconfig --list).

    Pay close attention to your process list, if you are using Linux then looking at a forested view using "ps fuxwa" will show you which processes spawned which processes. If you find something claiming to be "httpd" and it's parent process is "xinetd" then I would _highly_ suspect that xinetd's configuration (or the service itself) is compromised. Again, if you have a Red Hat derivative using RPM then you can validate the packages using rpm -V <package name> to see if any of the executables have been compromised.

    The biggest threats are from worms that attack vulnerable installations of AwStats, phpBB2, PHP XML-RPC (Many packages use PHP XML-RPC, including many popular CMSs like PostNuke), Mambo/Joomla, and phpCOIN.
     
  6. wagnerch

    wagnerch Guest

    0
     
    Also take a look at this thread, if you are feeling brave then you could use The Coroner's Toolkit to dump process memory (pcat tool), and maybe lift some evidence from that.

    I have done that in the past, typically there is some evidence in the processes memory of "where" it came from (atleast domain-wise).
     
Loading...