hello i get high cpu load from httpd

here is the top



[root@servers ~]# top
top - 13:33:57 up 29 min, 2 users, load average: 5.07, 4.49, 3.58
Tasks: 73 total, 4 running, 69 sleeping, 0 stopped, 0 zombie
Cpu(s): 9.2% us, 4.1% sy, 0.0% ni, 86.7% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 1536000k total, 791996k used, 744004k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23562 apache 15 0 31928 19m 3772 S 5 1.3 0:00.15 httpd
24099 root 25 0 8852 5196 1552 R 1 0.3 0:00.04 cc1
23996 root 19 0 2824 1752 904 S 1 0.1 0:00.03 sh
3959 apache 15 0 24760 12m 4036 S 0 0.9 0:01.57 httpd
32181 apache 15 0 30788 18m 4040 S 0 1.3 0:02.04 httpd
1 root 15 0 1696 608 520 S 0 0.0 0:00.07 init
1449 mysql 6 -10 544m 66m 2636 S 0 4.4 0:02.10 mysqld
1452 mysql 6 -10 544m 66m 2636 S 0 4.4 0:03.31 mysqld
1664 mysql 5 -10 544m 66m 2636 S 0 4.4 0:02.69 mysqld
1674 mysql 5 -10 544m 66m 2636 S 0 4.4 0:02.54 mysqld
1693 mysql 5 -10 544m 66m 2636 S 0 4.4 0:03.23 mysqld
1697 mysql 5 -10 544m 66m 2636 S 0 4.4 0:01.87 mysqld
1718 mysql 5 -10 544m 66m 2636 S 0 4.4 0:04.48 mysqld
1787 named 23 0 67176 2908 1880 S 0 0.2 0:00.04 named
3844 apache 15 0 24796 12m 3856 S 0 0.9 0:02.12 httpd
3944 apache 15 0 24772 12m 3860 S 0 0.8 0:00.63 httpd
3948 apache 15 0 24788 12m 4016 S 0 0.9 0:00.69 httpd
5173 nobody 15 0 7008 608 268 S 0 0.0 0:00.00 directadmin
5283 nobody 15 0 7008 608 268 S 0 0.0 0:00.00 directadmin
7942 root 22 0 1648 696 536 S 0 0.0 0:00.00 make
7943 root 23 0 2172 988 856 S 0 0.1 0:00.00 sh
7952 root 23 0 2172 544 412 S 0 0.0 0:00.00 sh
7953 root 25 0 1652 696 552 S 0 0.0 0:00.00 make
7954 root 25 0 2176 988 856 S 0 0.1 0:00.00 sh
7959 root 25 0 2176 548 412 S 0 0.0 0:00.00 sh
7961 root 25 0 1780 836 568 S 0 0.1 0:00.00 make
7962 root 25 0 2168 992 860 S 0 0.1 0:00.00 sh
7968 root 17 0 1912 920 572 S 0 0.1 0:00.01 make
9480 apache 15 0 24792 12m 3860 S 0 0.9 0:00.77 httpd
9514 apache 15 0 24804 12m 3904 S 0 0.9 0:01.83 httpd
9516 apache 15 0 24792 12m 3848 S 0 0.8 0:00.59 httpd
9569 apache 15 0 25468 13m 4008 R 0 0.9 0:00.27 httpd
10187 nobody 16 0 7008 608 268 S 0 0.0 0:00.00 directadmin
14039 apache 15 0 24740 12m 3864 S 0 0.8 0:00.97 httpd
15825 apache 15 0 24788 12m 4072 S 0 0.9 0:07.79 httpd
16015 apache 15 0 24788 12m 3864 S 0 0.9 0:00.59 httpd
16019 apache 15 0 24776 12m 3848 S 0 0.8 0:00.79 httpd
16036 apache 15 0 24784 12m 4064 S 0 0.9 0:00.33 httpd
16038 apache 15 0 24732 12m 3972 S 0 0.9 0:00.57 httpd




apache 2.2.8
i have build with custom build everything (im running the new versions)

Can someone tell me what can cause this?

apache path that make the load its this /usr/sbin/httpd -k start -DSSL i thing its the https (perl)????

How can i dissable this.?

apache path that make the load its this /usr/sbin/httpd -k start -DSSL i thing its the https (perl)Apache v2.x uses '/usr/sbin/httpd -k start' or 'httpd -k start -DSSL' (apachectl calls this so no one would really notice a difference as it's automatically called from the init scripts).

Since you are using apache v2.x this is normal Apache process and has nothing to do with your high server load: Read this for more info about such process: http://httpd.apache.org/docs/2.2/programs/httpd.html

Seek professional help to secure and harden your server. I see few interesting processes running on your server such as: cci, sh, and make.

thanks for you reply..


Seek professional help to secure and harden your server. I see few interesting processes running on your server such as: cci, sh, and make.

this processes its there because i try to rebuild the apache from onother ssh.(i thing its normal when you build)

here is onother one shoot


top - 03:29:40 up 7 min, 1 user, load average: 4.09, 2.49, 1.10
Tasks: 75 total, 8 running, 67 sleeping, 0 stopped, 0 zombie
Cpu(s): 25.1% us, 7.3% sy, 0.0% ni, 67.6% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 1536000k total, 393180k used, 1142820k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7809 apache 25 0 25588 13m 4008 R 11 0.9 0:30.60 /usr/sbin/httpd -k start -DSSL
7953 apache 25 0 25488 13m 4016 R 10 0.9 0:09.49 /usr/sbin/httpd -k start -DSSL
7871 apache 15 0 24712 12m 3876 S 5 0.8 0:00.87 /usr/sbin/httpd -k start -DSSL
22279 apache 15 0 27332 15m 3940 R 3 1.0 0:00.17 /usr/sbin/httpd -k start -DSSL
7607 root 17 0 23624 11m 4300 S 1 0.8 0:00.29 /usr/sbin/httpd -k start -DSSL
22425 apache 15 0 23764 11m 3828 S 1 0.8 0:00.02 /usr/sbin/httpd -k start -DSSL
1 root 15 0 1696 604 520 S 0 0.0 0:00.18 init [3]
1611 nobody 18 0 7008 608 268 S 0 0.0 0:00.00 /usr/local/directadmin/directadmin d
1672 nobody 18 0 7008 608 268 S 0 0.0 0:00.00 /usr/local/directadmin/directadmin d
1868 nobody 18 0 7008 608 268 S 0 0.0 0:00.00 /usr/local/directadmin/directadmin d
3723 mysql 10 -5 140m 20m 2456 S 0 1.4 0:02.78 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/ser
4008 named 20 0 69204 2940 1884 S 0 0.2 0:00.03 named -u named
5497 nobody 18 0 7008 608 268 S 0 0.0 0:00.00 /usr/local/directadmin/directadmin d
5562 nobody 18 0 7008 608 268 S 0 0.0 0:00.00 /usr/local/directadmin/directadmin d
5582 root 16 0 7112 2264 1816 S 0 0.1 0:00.02 sshd: root@pts/0
5996 root 15 0 2352 1336 1056 S 0 0.1 0:00.01 -bash
7707 apache 15 0 24820 12m 4028 S 0 0.9 0:00.87 /usr/sbin/httpd -k start -DSSL
7714 apache 15 0 24712 12m 4052 S 0 0.9 0:02.21 /usr/sbin/httpd -k start -DSSL
7827 apache 15 0 24844 12m 3904 S 0 0.9 0:01.20 /usr/sbin/httpd -k start -DSSL
7939 apache 15 0 24848 12m 3980 R 0 0.9 0:01.43 /usr/sbin/httpd -k start -DSSL
13380 apache 15 0 24764 12m 3880 R 0 0.9 0:01.63 /usr/sbin/httpd -k start -DSSL
15432 apache 15 0 24716 12m 3856 S 0 0.8 0:00.43 /usr/sbin/httpd -k start -DSSL
17478 apache 16 0 23868 11m 3808 S 0 0.8 0:00.15 /usr/sbin/httpd -k start -DSSL
17479 apache 15 0 24112 11m 3752 S 0 0.8 0:00.59 /usr/sbin/httpd -k start -DSSL
17622 mysql 10 -5 140m 20m 2456 S 0 1.4 0:00.06 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/ser
17642 apache 15 0 24748 12m 3980 S 0 0.9 0:01.05 /usr/sbin/httpd -k start -DSSL
17646 mysql 10 -5 140m 20m 2456 S 0 1.4 0:00.07 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/ser
17690 mysql 10 -5 140m 20m 2456 S 0 1.4 0:00.40 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/ser
18200 mysql 11 -5 140m 20m 2456 S 0 1.4 0:00.02 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/ser
19534 rmxs 15 0 4800 1812 1020 S 0 0.1 0:00.04 proftpd: rmxs - 87.202.76.197: IDLE
22427 apache 15 0 24244 11m 3748 S 0 0.8 0:00.45 /usr/sbin/httpd -k start -DSSL
22504 apache 16 0 24020 11m 3708 S 0 0.8 0:00.11 /usr/sbin/httpd -k start -DSSL
22505 apache 15 0 24068 12m 4000 S 0 0.8 0:00.44 /usr/sbin/httpd -k start -DSSL
22510 apache 15 0 23988 11m 3736 S 0 0.8 0:00.54 /usr/sbin/httpd -k start -DSSL
24538 apache 15 0 23800 10m 3152 S 0 0.7 0:00.00 /usr/sbin/httpd -k start -DSSL
25610 apache 15 0 23764 11m 3328 R 0 0.7 0:00.00 /usr/sbin/httpd -k start -DSSL
26112 root 18 0 1952 1016 792 R 0 0.1 0:00.02 top
26154 apache 15 0 23624 10m 3088 S 0 0.7 0:00.00 /usr/sbin/httpd -k start -DSSL
26199 apache 15 0 23800 10m 3136 S 0 0.7 0:00.00 /usr/sbin/httpd -k start -DSSL

i have try everything and this /usr/sbin/httpd -k start -DSSL running and make high cpu load ..its always first on the list..

this is ssl (i dont use ssl) so how can i stop this?

i found this http://www.redoracle.com/index.php?option=com_exploit&task=view&type=webapps&exid=2973


Talking about a worm that run this proccess how can i check if is it or not?

4.09 and 5.07 are not high server loads for a reasonably provisioned server. This week we had some servers go over 400. At that point things begin to stop.

Why did you look at top? What were your symptoms?

Jeff

my server now its ok..
I check some new files for bad coding and finally i fount one.. ;)

now its ok


Why did you look at top?
and were i can look

After update I receive this error:

/sbin/service httpd start 2>&1

Tried build rewrite_confs

Got this


Done installing Apache+Mod_SSL.
Restoring certificate and key, and turning on httpd for DirectAdmins's check.
Restarting apache.
Stopping httpd: [FAILED]
Starting httpd: fopen: No such file or directory
httpd: could not open document config file /etc/httpd/conf/extra/httpd-phpaddmodules.conf
[FAILED]
Using 207.158.61.3 for your server IP
make[1]: Entering directory `/usr/local/directadmin/custombuild/apache_1.3.41/src'
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating self-signed Snake Oil certificate [DUMMY]
______________________________________________________________________

RESULT: Server Certification Files

o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!

o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).

WARNING: Do not use this for real-life/production systems

make[1]: Leaving directory `/usr/local/directadmin/custombuild/apache_1.3.41/src'
Restarting apache.
Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 1 of /etc/httpd/conf/extra/httpd-phpmodules.conf:
Cannot load /usr/lib/apache/libphp5.so into server: /usr/lib/apache/libphp5.so: cannot open shared object file: No such file or directory
[FAILED]

The options file was not correct. I fixed it and ran ./build all d and everything seems fine now.