What is this random cron job using a lot of CPU?
I see a process named
cron that is using 100% of my Linode's CPU resources, what is this?
cron is used to schedule tasks on UNIX based systems, such as Linux, and so it could be doing almost anything. To find out what jobs cron is performing, you can view the contents of the file
You may also be able to narrow down exactly which process cron is running by using the following command:
ps faux | grep -A 10 cron
-A 10 part sets how many lines will show up after finding the word cron in the output of
ps faux, so you may find that you need to increase the number if you're not seeing all of cron's child processes. I've included an example of the output below:
# ps faux | grep -A 10 cron root 450 0.0 0.2 27508 2768 ? Ss Oct09 0:00 /usr/sbin/cron -f root 10394 0.0 0.2 42244 2672 ? S 08:46 0:00 \_ /usr/sbin/CRON -f root 10395 0.0 0.0 4340 736 ? Ss 08:46 0:00 \_ /bin/sh -c yes >/dev/null root 10396 91.5 0.0 5812 720 ? R 08:46 0:08 \_ yes daemon 452 0.0 0.1 19028 1728 ? Ss Oct09 0:00 /usr/sbin/atd -f root 454 0.0 0.2 19860 2604 ? Ss Oct09 0:00 /lib/systemd/systemd-logind message+ 458 0.0 0.3 42124 3468 ? Ss Oct09 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation root 497 0.0 0.3 258676 3508 ? Ssl Oct09 0:00 /usr/sbin/rsyslogd -n root 499 0.0 0.1 4260 1680 ? Ss Oct09 0:00 /usr/sbin/acpid Debian-+ 743 0.0 0.3 51188 3264 ? Ss Oct09 0:00 /usr/sbin/exim4 -bd -q30m root 875 0.0 0.1 14420 1996 tty1 Ss+ Oct09 0:00 /sbin/agetty --noclear tty1 linux -- root 10398 0.0 0.2 12732 2164 ttyS0 S+ 08:46 0:00 \_ grep -A 10 cron
Once you know what process is running up the CPU, you can perform a full investigation. Since an unknown cron job can indicate a compromise, it's probably worth running a scan with an anti-malware tool like ClamAV, if only to rule it out as a possibility.
You can also find more information about troubleshooting high CPU usage issues in this post.
thx,i know the crond,but this cron is not run by /usr/sbin/cron .It's a program run by /root/.nullcache/a/cron* that i never see at linux os.
If you've done a thorough investigation like what was outlined in Tommy's post, then I would reiterate his comment about performing a vulnerability scan, like ClamAV. This scan will pull from a repository of known vulnerabilities, so if it's a known exploit, it'll help clean it up for you.
If you'd like other options beside ClamAV, other scanning software I'd recommend are: