What is this random cron job using a lot of CPU?

I see a process named cron that is using 100% of my Linode's CPU resources, what is this?

3 Replies

cron is used to schedule tasks on UNIX based systems, such as Linux, and so it could be doing almost anything. To find out what jobs cron is performing, you can view the contents of the file /etc/crontab:

cat /etc/crontab

You may also be able to narrow down exactly which process cron is running by using the following command:

ps faux | grep -A 10 cron

The -A 10 part sets how many lines will show up after finding the word cron in the output of ps faux, so you may find that you need to increase the number if you're not seeing all of cron's child processes. I've included an example of the output below:

# ps faux | grep -A 10 cron
root       450  0.0  0.2  27508  2768 ?        Ss   Oct09   0:00 /usr/sbin/cron -f
root     10394  0.0  0.2  42244  2672 ?        S    08:46   0:00  \_ /usr/sbin/CRON -f
root     10395  0.0  0.0   4340   736 ?        Ss   08:46   0:00      \_ /bin/sh -c    yes >/dev/null
root     10396 91.5  0.0   5812   720 ?        R    08:46   0:08          \_ yes
daemon     452  0.0  0.1  19028  1728 ?        Ss   Oct09   0:00 /usr/sbin/atd -f
root       454  0.0  0.2  19860  2604 ?        Ss   Oct09   0:00 /lib/systemd/systemd-logind
message+   458  0.0  0.3  42124  3468 ?        Ss   Oct09   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root       497  0.0  0.3 258676  3508 ?        Ssl  Oct09   0:00 /usr/sbin/rsyslogd -n
root       499  0.0  0.1   4260  1680 ?        Ss   Oct09   0:00 /usr/sbin/acpid
Debian-+   743  0.0  0.3  51188  3264 ?        Ss   Oct09   0:00 /usr/sbin/exim4 -bd -q30m
root       875  0.0  0.1  14420  1996 tty1     Ss+  Oct09   0:00 /sbin/agetty --noclear tty1 linux
--
root     10398  0.0  0.2  12732  2164 ttyS0    S+   08:46   0:00      \_ grep -A 10 cron

Once you know what process is running up the CPU, you can perform a full investigation. Since an unknown cron job can indicate a compromise, it's probably worth running a scan with an anti-malware tool like ClamAV, if only to rule it out as a possibility.

You can also find more information about troubleshooting high CPU usage issues in this post.

thx,i know the crond,but this cron is not run by /usr/sbin/cron .It's a program run by /root/.nullcache/a/cron* that i never see at linux os.

If you've done a thorough investigation like what was outlined in Tommy's post, then I would reiterate his comment about performing a vulnerability scan, like ClamAV. This scan will pull from a repository of known vulnerabilities, so if it's a known exploit, it'll help clean it up for you.

If you'd like other options beside ClamAV, other scanning software I'd recommend are:

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct