High CPU load on Centos with process sync_supers

malware centos

My centos server has high cpu load right now. Please see the Htop output below.enter image description here

sync_supers is very suspected but I don't know how to kill it. Any suggestions?


This "sync_supe" overloading CPU is an Apache (user "nobody") running a bitcoins mill, hard work and use of the resources. The system might have been compromised via 1.3 Apache and Linux kernel <2.6.25


Killing process will not get you far. I would rather recommend stop so you can inspect what is going on. By running

kill -TERM 17757

You will kill the process (notice PID column value for sync_supers may have changed since. Instead of killing immediately try doing

kill -STOP 17757

Then inspect procfs for this process ID

ls -al /proc/17757/

It will be informative to see cwd line; it says from which dir this process was started Examine also

cat /proc/17757/cmdline

To see how process was started

And also possibly interesting info in

ls -la /proc/17757/fd

Which will tell you if any files are opened by process.

If you want to interactively snoop on what process is doing, you can attach to it with system call tracer strace like this

strace -p 17757

However if process is stopped, you would not see much since it's stopped, so this may be something to consider before doing anything to the process.

Related

Will noatime on a tmpfs volume improve performance?
Why does my linux server resolve all domains (even non-existant ones)
ntpd keeps adding local servers while being told not to
How to identify failed drive/port on 3ware card
HP ProLiant MicroServer Gen 8 - Hard Drive Configuration?
Packer unable to pack aws image into VPC
Why is the Computers object a CN not an OU in Microsoft Active Directory?
grep ouput filepath with file modified date?
Environment variables using AWS CodeDeploy
Backup Monitoring Solution [closed]
Default policy for OUTPUT
How do I automatically approve important updates from WSUS?