cpu usage 200%

In my linode some processes using 200% cpu. Even after kill, term and stop it is again starting after few minutes. These processes running under apache user. some of these process names: "sync_super", "./rsyslogd", "./mariadb", "./sysd -c logv.cf".
These processes have cwd -> /var/tmp, exe -> /var/tmp/sysd, exe->/tmp

why is it ? and what to do?

1 Reply

If you don't recognize the processes that are using up your CPU resources, I would definitely suggest examining this Linode for signs of unauthorized access and scanning it for malware.

We have a guide here to using ClamAV, which includes instructions on how to boot your Linode into Rescue Mode prior to scanning. Booting into Rescue Mode is critical, as performing the scan under your normal boot configuration may miss malicious processes that are currently running, or they may simply respawn after being killed off (which appears to be the case here).

If your Linode has had network restrictions placed on it, our Support team can temporarily lift them in order to allow you to download and run ClamAV once you are booted into Rescue Mode. You can contact us by opening a Support ticket via the Linode Manager, or reaching out to us by phone.

You can use the following commands to begin examining your system logs for any signs of unauthorized access:

    last
    lastlog
    cat /var/log/auth.log # Debian-based systems e.g. Ubuntu
    cat /var/log/secure # RHEL-based systems e.g. CentOS
    history

You might wish to use grep to filter the logs above, e.g. to show only accepted logins via sshd:

    cat /var/log/auth.log | grep sshd | grep Accepted

Finally, you might be interested in Cisofy's Lynis tool, which will perform a security audit on your system and provide recommendations on how to harden it. I've personally found this to be extremely useful:

https://cisofy.com/lynis/
https://cisofy.com/documentation/lynis/get-started/

We also have a guide here on how to secure your server, which should help prevent this from happening in the future. At minimum, I would recommend disabling password authentication and root login over SSH, setting up SSH key-pairs, and configuring fail2ban to mitigate brute-force login attempts.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct