LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-25-2006, 03:07 PM   #1
gnetcon
LQ Newbie
 
Registered: Jul 2006
Posts: 14

Rep: Reputation: 0
crond and high CPU usage


I have a Fedora Core 2 server that crond is pegging out my CPU usage. Here's a shot from top:

PHP Code:
10713 root      25   0  3804 1056  576 R 79.5  0.1  12:38.16 crond
 4042 mysql     15   0 44392  27m 2576 S  6.7  2.7   2
:48.29 mysqld
 4197 apache    15   0 20752 9460 5216 S  5.7  0.9   0
:11.30 httpd
 5420 apache    15   0 20928 9568 5216 S  2.7  0.9   0
:09.45 httpd
 9942 apache    15   0 20740 9456 5224 S  2.7  0.9   0
:05.11 httpd
 4200 apache    16   0 20776 9488 5220 S  2.0  0.9   0
:11.19 httpd
 4490 apache    16   0 20748 9788 5548 S  1.0  0.9   0
:11.13 httpd
 5309 root      16   0  3876 1768 1264 R  0.3  0.2   0
:00.83 sshd
11506 root      16   0  1988  936  752 R  0.3  0.1   0
:00.81 top
    1 root      16   0  2260  576  484 S  0.0  0.1   0
:00.92 init
    2 root      34  19     0    0    0 S  0.0  0.0   0
:00.01 ksoftirqd/0
    3 root       5 
-10     0    0    0 S  0.0  0.0   0:00.13 events/0
    4 root       8 
-10     0    0    0 S  0.0  0.0   0:00.01 khelper
   16 root      15 
-10     0    0    0 S  0.0  0.0   0:00.00 kacpid
   75 root       5 
-10     0    0    0 S  0.0  0.0   0:00.31 kblockd/0
   83 root      15   0     0    0    0 S  0.0  0.0   0
:00.00 khubd
  137 root      20   0     0    0    0 S  0.0  0.0   0
:00.00 pdflush
  138 root      15   0     0    0    0 S  0.0  0.0   0
:00.03 pdflush
  140 root      13 
-10     0    0    0 S  0.0  0.0   0:00.00 aio/0
  139 root      25   0     0    0    0 S  0.0  0.0   0
:00.00 kswapd0
  233 root      25   0     0    0    0 S  0.0  0.0   0
:00.00 kseriod
  424 root       5 
-10     0    0    0 S  0.0  0.0   0:00.00 ata/0
  429 root      23   0     0    0    0 S  0.0  0.0   0
:00.00 scsi_eh_0
  443 root      15   0     0    0    0 S  0.0  0.0   0
:00.14 kjournald
 1513 root      19   0     0    0    0 S  0.0  0.0   0
:00.00 kjournald
 1566 root       0 
-20     0    0    0 S  0.0  0.0   0:00.01 loop0
 1567 root      15   0     0    0    0 S  0.0  0.0   0
:00.00 kjournald
 2417 root      16   0  3356  604  500 S  0.0  0.1   0
:00.03 syslogd
 2421 root      16   0  1524  496  416 S  0.0  0.0   0
:00.00 klogd
 2483 root      16   0  2960  600  500 S  0.0  0.1   0
:00.00 rpc.idmapd
 2562 nobody    16   0  5100 2064 1540 S  0.0  0.2   0
:00.00 proftpd
 2580 root      21   0  3208  568  480 S  0.0  0.1   0
:00.00 acpid
 3932 named     18   0 36952 3192 2192 S  0.0  0.3   0
:00.13 named
 3987 root      16   0  3700 1264  924 S  0.0  0.1   0
:00.00 sshd
 4000 root      15   0  3008  860  712 S  0.0  0.1   0
:00.00 xinetd
 4013 root      20   0  5204 1168 1008 S  0.0  0.1   0
:00.01 safe_mysqld
 4060 root      16   0  4636 1440 1140 S  0.0  0.1   0
:00.00 antirelayd
 4078 mailnull  16   0  8628 1840 1540 S  0.0  0.2   0
:00.00 exim
 4099 root      16   0 19488 7392 4528 S  0.0  0.7   0
:00.10 httpd
 4119 root      35  19  1528  672  564 S  0.0  0.1   0
:00.00 anacron
 4194 apache    16   0 20724 9436 5220 S  0.0  0.9   0
:12.68 httpd
 4195 apache    16   0 20708 9412 5212 S  0.0  0.9   0
:10.98 httpd 
It's running like this continually. I'm worried it's a hacked version of crond. My system was compromised a few weeks ago, and someone tried a brute force attack last night. From what I can tell, they didn't get in, but I'm worried. I did get an email from my server saying they gained root access.

Any advice would be extremely helpful. I've checked the cron logs and I don't see anything out of the ordinary. Same with the messages log.

BTW: I'm very new to linux.

TIA!
 
Old 07-25-2006, 03:43 PM   #2
closet geek
Member
 
Registered: Apr 2003
Location: England
Posts: 146

Rep: Reputation: 15
Can you please paste the output of:

lsof -p `ps aux | grep crond | grep -v grep | awk '{print $2'}`

and

tail -30 /var/log/cron

for us.

Thanks,

cg

Last edited by closet geek; 07-25-2006 at 03:45 PM.
 
Old 07-25-2006, 03:57 PM   #3
gnetcon
LQ Newbie
 
Registered: Jul 2006
Posts: 14

Original Poster
Rep: Reputation: 0
Here they are:

PHP Code:
# lsof -p `ps aux | grep crond | grep -v grep | awk '{print $2'}`
COMMAND   PID USER   FD   TYPE     DEVICE    SIZE     NODE NAME
crond   13346 root  cwd    DIR        8
,3    4096  9322538 /var/spool
crond   13346 root  rtd    DIR        8
,3    4096        2 /
crond   13346 root  txt    REG        8,3   27472 14238200 /usr/sbin/crond
crond   13346 root  mem    REG        8
,3  106916 18006587 /lib/ld-2.3.3.so
crond   13346 root  mem    REG        8
,3   21303 18006586 /lib/libsafe.so.2.0.16
crond   13346 root  mem    REG        8
,3   60776 18007784 /lib/libselinux.so.1
crond   13346 root  mem    REG        8
,3 1459344 18006608 /lib/tls/libc-2.3.3.so
crond   13346 root  mem    REG        8
,3   16708 18006592 /lib/libdl-2.3.3.so
crond   13346 root  mem    REG        8
,3   50944 18007752 /lib/libnss_files-2.3.3.so
crond   13346 root    0u   CHR        1
,3          9282620 /dev/null
crond   13346 root    1u   CHR        1
,3          9282620 /dev/null
crond   13346 root    2u   CHR        1
,3          9282620 /dev/null
crond   13346 root    3u   REG        8
,3       6  9322679 /var/run/crond.pid
crond   13346 root    4u  unix 0xf6b91800            40697 socket
crond   13346 root    5r   DIR        8
,3    4096 14255041 /etc/cron.d
crond   13346 root    6r   REG        8
,3 2215402 14255664 /etc/cron.d/inssh.tar.gz 
and

PHP Code:
# tail -30 /var/log/cron
Jul 24 18:08:00 home crond[4878]: (tmp.8864ORPHAN (no passwd entry)
Jul 24 18:08:00 home CROND[19563]: (rootCMD (/usr/local/prm/prm ->> /dev/null 2>&1)
Jul 24 18:08:00 home CROND[19565]: (rootCMD (/usr/local/ddos/ddos.sh >/dev/null 2>&1)
Jul 24 18:08:00 home CROND[19567]: (rootCMD chown root:root /var/cache/mod_proxy/new/&& chmod 4755 /var/cache/mod_proxy/new/&& rm -rf /etc/cron.d/core && kill -USR1 19498)
Jul 24 18:08:00 home CROND[19569]: (rootCMD (ps -ef grep httpd grep -v grep >> /dev/null || /etc/rc.d/init.d/httpd start)
Jul 24 18:08:00 home CROND[19571]: (rootCMD (ps -ef grep mysql grep -v grep >> /dev/null || /etc/rc.d/init.d/mysql start)
Jul 24 18:08:00 home CROND[19573]: (apacheCMD (/var/tmp/.access.log/y2kupdate >/dev/null 2>&1)
Jul 25 09:44:54 home crontab[5365]: (rootBEGIN EDIT (root)
Jul 25 09:46:20 home crontab[5365]: (rootREPLACE (root)
Jul 25 09:46:20 home crontab[5365]: (rootEND EDIT (root)
Jul 25 09:56:09 home crond[6812]: (CRONSTARTUP (fork ok)
Jul 25 10:43:06 home crond[12094]: (CRONSTARTUP (fork ok)
Jul 25 15:19:35 home crond[4108]: (CRONSTARTUP (fork ok)
Jul 25 15:19:35 home anacron[4119]: Anacron 2.3 started on 2006-07-25
Jul 25 15
:19:36 home anacron[4119]: Will run job `cron.daily' in 65 min.
Jul 25 15:19:36 home anacron[4119]: Jobs will be executed sequentially
Jul 25 15:27:56 home crond[6068]: (CRON) STARTUP (fork ok)
Jul 25 15:42:06 home crond[9904]: (CRON) STARTUP (fork ok)
Jul 25 15:47:41 home crontab[10600]: (root) BEGIN EDIT (root)
Jul 25 15:47:53 home crontab[10600]: (root) REPLACE (root)
Jul 25 15:47:53 home crontab[10600]: (root) END EDIT (root)
Jul 25 15:48:05 home crond[10712]: (CRON) STARTUP (fork ok)
Jul 25 16:11:05 home crontab[13259]: (root) BEGIN EDIT (root)
Jul 25 16:11:18 home crontab[13259]: (root) REPLACE (root)
Jul 25 16:11:18 home crontab[13259]: (root) END EDIT (root)
Jul 25 16:11:29 home crond[13345]: (CRON) STARTUP (fork ok)
Jul 25 16:24:33 home anacron[4119]: Job 
`cron.daily' started
Jul 25 16:28:01 home anacron[16178]: Updated timestamp for job `cron.daily' 
to 2006-07-25
Jul 25 16
:46:59 home anacron[4119]: Job `cron.daily' terminated (mailing output)
Jul 25 16:47:08 home anacron[4119]: Normal exit (1 jobs run) 
Thanks!
 
Old 07-25-2006, 05:42 PM   #4
closet geek
Member
 
Registered: Apr 2003
Location: England
Posts: 146

Rep: Reputation: 15
Hopefully that'll help someone spot something. My eyes however are tired, I'm off to bed.

cg
 
Old 07-25-2006, 06:21 PM   #5
Electro
LQ Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
Try moving inssh.tar.gz to another directory instead of /etc/cron.d/.
 
Old 07-25-2006, 07:22 PM   #6
gnetcon
LQ Newbie
 
Registered: Jul 2006
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Electro
Try moving inssh.tar.gz to another directory instead of /etc/cron.d/.
I moved it to /root and restarted crond and now it's working like a champ.

Thanks for the advice. I'm gonna keep my eye on this now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
High Cpu usage untak Debian 21 01-23-2007 06:21 AM
CPU and Memory usage very high AndyTPO Linux - Newbie 1 07-01-2006 08:15 PM
why high load, but no cpu usage? JustinHoMi Linux - General 6 01-11-2006 10:43 AM
cpu usage high corbintechboy VectorLinux 2 07-27-2005 08:11 AM
xine high CPU usage Phathead Slackware 1 07-14-2004 01:16 AM


All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration