• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Memory Issues

O

omegauser

Guest
Hi, look at memory usage>
top - 20:59:56 up 21 days, 8:31, 3 users, load average: 13.41, 14.01, 16.24
Tasks: 170 total, 14 running, 150 sleeping, 4 stopped, 2 zombie
Cpu(s): 99.3% us, 0.7% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 509040k total, 490420k used, 18620k free, 34296k buffers
Swap: 1044216k total, 21244k used, 1022972k free, 90856k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4565 root 25 0 6156 1544 5452 R 10.3 0.3 445:58.31 autoresponder
4637 root 25 0 10872 4268 5452 R 10.3 0.8 445:57.98 autoresponder
4553 root 25 0 7016 1544 5452 R 9.6 0.3 445:58.35 autoresponder
22622 qmaild 25 0 4552 1348 3216 R 8.3 0.3 3:43.17 qmail-smtpd
21785 root 25 0 6116 1376 5452 R 6.9 0.3 4178:16 autoresponder
19429 root 25 0 6120 1548 5452 R 6.9 0.3 2587:21 autoresponder
7897 root 25 0 7164 1548 5452 R 6.9 0.3 1219:13 autoresponder
28971 root 25 0 6764 1548 5452 R 6.9 0.3 616:58.87 autoresponder
32767 root 25 0 10740 4264 5452 R 6.9 0.8 553:58.03 autoresponder
4586 root 25 0 6812 1548 5452 R 6.9 0.3 445:58.11 autoresponder
25563 qmaild 25 0 5020 1344 3216 R 6.9 0.3 1:20.37 qmail-smtpd
26488 qmaild 25 0 4184 1352 3216 R 6.9 0.3 0:16.03 qmail-smtpd
4559 root 25 0 7196 1556 5452 R 6.6 0.3 445:58.27 autoresponder
26650 root 17 0 3144 972 1620 R 1.0 0.2 0:00.25 top
26661 root 16 0 7144 2020 5640 S 0.7 0.4 0:00.02 sshd
1 root 16 0 3084 460 1316 S 0.0 0.1 0:11.91 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 events/0
4 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
6 root 7 -10 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
7 root 15 0 0 0 0 S 0.0 0.0 0:06.40 pdflush
8 root 15 0 0 0 0 S 0.0 0.0 0:00.15 pdflush
10 root 12 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
9 root 15 0 0 0 0 S 0.0 0.0 0:02.81 kswapd0
113 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
147 root 15 0 0 0 0 S 0.0 0.0 3:12.49 kjournald
1024 root 15 0 0 0 0 S 0.0 0.0 0:00.00 kjournald
1417 root 16 0 2820 588 1296 S 0.0 0.1 4:52.64 syslogd
1421 root 16 0 2392 436 1244 S 0.0 0.1 0:00.00 klogd
1447 rpc 16 0 2860 612 1372 S 0.0 0.1 0:00.00 portmap
1466 rpcuser 18 0 1744 712 1380 S 0.0 0.1 0:00.00 rpc.statd
1492 root 16 0 2476 572 1296 S 0.0 0.1 0:00.07 rpc.idmapd
1579 root 15 0 2580 744 1368 S 0.0 0.1 0:00.04 smartd

I want to know whats that autoresponder command from root! is eating my memory, how do I stop it?
 
If YOU dont know what the autoresponder command is.
Sounds like someone has hacked in and using your machine as an autoresponder? running as root, so no virtual hosts are doing it?
 
Originally posted by omegauser
Hi, look at memory usage>
top - 20:59:56 up 21 days, 8:31, 3 users, load average: 13.41, 14.01, 16.24
Tasks: 170 total, 14 running, 150 sleeping, 4 stopped, 2 zombie
Cpu(s): 99.3% us, 0.7% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 509040k total, 490420k used, 18620k free, 34296k buffers
Swap: 1044216k total, 21244k used, 1022972k free, 90856k cached

I want to know whats that autoresponder command from root! is eating my memory, how do I stop it?

Memory is not your problem, your CPU is pegged 99.3% user. I would agree that this autoresponder process is very unusual and it is possible your server has been hacked.

I doubt it is a genuine autoresponder of any kind.
 
I have some problem like this

I have some problem like this

in this case the process is apache

when I use TOP with option c (command line) and H (threads) and appears the normal process

APACHE using command /usr/bin/httpd

but appears another process

APACHE using command Inetd

and the CPU ussing 98% of CPU when inetd running apache

I kill all the process using Kill -9 PID

I usng a script and put in cron tab that every minute chechk if the process exist and kill

BUT THE QUESTION IS?
HOW I CAN KNOW WHO USER INVOKE THE PROCESS?
WHO PROGRAM INVOKE THE PROCESS TO DELETE IT?
 
Again, your server is probably hacked. If you don't know how to fix it then I suggest reimaging your server, applying all of the patches, and then validate each domain's software before reloading them.

Also considering installing ModSecurity, and verify what services need to be running (chkconfig --list).

Pay close attention to your process list, if you are using Linux then looking at a forested view using "ps fuxwa" will show you which processes spawned which processes. If you find something claiming to be "httpd" and it's parent process is "xinetd" then I would _highly_ suspect that xinetd's configuration (or the service itself) is compromised. Again, if you have a Red Hat derivative using RPM then you can validate the packages using rpm -V <package name> to see if any of the executables have been compromised.

The biggest threats are from worms that attack vulnerable installations of AwStats, phpBB2, PHP XML-RPC (Many packages use PHP XML-RPC, including many popular CMSs like PostNuke), Mambo/Joomla, and phpCOIN.
 
Also take a look at this thread, if you are feeling brave then you could use The Coroner's Toolkit to dump process memory (pcat tool), and maybe lift some evidence from that.

I have done that in the past, typically there is some evidence in the processes memory of "where" it came from (atleast domain-wise).
 
Back
Top