Unkown proccess in CPU/Memory/MySQL Usage of WHM

centosfan · 02-18-2009, 04:04 PM

I see every day repeated process netstat -nlp,and it takes kind a huge cpu usage(from 20 to 30 percent).I think that is some kind of hidden process,since it doesn't say which user starting it,and i was not able to find cron,i sended support question to whm/cpanel support but it seems they dont know too,i mean they gived me command which should mark when commands appear into log but it doesn't work when i run
Here is command which they gived me:

PHP Code:



#!/bin/bash 
# save me as /root/check-netstat or whatever 
# and then setup a cron task that runs once per minute 
# or however often you want. Don't forget to remove the 
# task once you've tracked it down! 
 
found_netstat=$(ps auxwwwwwww|grep "netstat "|grep -vE 
"grep") 
if [ ! -z "$found_netstat" ]; then 
  echo "`date +%Y%m%d%H%M: $found_netstat" >> /root/netstat.log 
fi

And then i get following error:
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
./check-netstat: line 4: unexpected EOF while looking for matching ``'
./check-netstat: line 7: syntax error: unexpected end of file
Also i already set cron for running that command so please fix it.
Any idea how to find what causing this and how to remove it?I am worried someone could control server and i wont know that.

unSpawn · 02-18-2009, 05:03 PM

What the script does is list processes, grep for the string "netstat", grep for string excluding regex "netstat" and log if the result is not empty. The first error means your 'grep' doesn't understand one switch and the second error is because the date command isn't closed properly. Unmodified this script is utter and completely bogus.

If you want a one-time view of things on your machine you could log into it using SSH, then run '( ps -axfwwwe 2>&1; netstat -anpe 2>&1; lsof -P -w -n 2>&1; last -30 2>&1; who 2>&1 ) | tee /dev/shm/.log', then post the output of /dev/shm/.log. If you want a continuous overview of processes you can replay later you could run something like 'atop'. But instead of installing anything at this point I'd suggest you first save your logs and auth records (including everything that's logrotated) elsewhere and look for any anomalies.

centosfan · 02-19-2009, 07:42 AM

I got proper code which works of code which i already posted,and now i see in logs when netstat is initiated.
200902182050: root 28173 0.0 0.0 2152 652 ? D 20:50 0:00
netstat -nlp
200902182110: root 30738 0.0 0.0 2152 652 ? R 21:10 0:00
netstat -nlp
200902182140: root 1802 16.0 0.0 2156 644 ? R 21:40 0:00
netstat -nlp
200902182220: root 6891 14.0 0.0 2156 656 ? R 22:20 0:00
netstat -nlp
200902182310: root 12869 0.0 0.0 2156 648 ? R 23:10 0:00
netstat -nlp
200902190000: root 19212 0.0 0.0 2152 648 ? R 00:00 0:00
netstat -nlp
200902190150: root 452 0.0 0.0 2152 656 ? R 01:50 0:00
netstat -nlp
200902190210: root 2941 0.0 0.0 2156 620 ? R 02:10 0:00
netstat -nlp
200902190240: root 6400 0.0 0.0 2152 644 ? R 02:40 0:00
netstat -nlp
200902190330: root 12975 0.0 0.0 2156 648 ? R 03:30 0:00
netstat -nlp
200902190410: root 18394 0.0 0.0 2152 644 ? R 04:10 0:00
netstat -nlp
200902190420: root 19616 0.0 0.0 2152 648 ? R 04:20 0:00
netstat -nlp
200902190720: root 10137 0.0 0.0 2152 648 ? R 07:20 0:00
netstat -nlp
Could be that leftover of munin which i installed over whm and later deleted?I remember on other software where i also installed munin it left running after i unninstall it.

unSpawn · 02-19-2009, 11:41 AM

Only way to find out for sure is to record process details that link the process to its parent like PPID.

centosfan · 02-19-2009, 07:43 PM

Problem was resolved,it was SIM who was causing it.I though i uninstalled it but it seems it didn't uninstalled completely.