cpu usage 200%
In my linode some processes using 200% cpu. Even after kill, term and stop it is again starting after few minutes. These processes running under apache user. some of these process names: "sync_super", "./rsyslogd", "./mariadb", "./sysd -c logv.cf".
These processes have cwd -> /var/tmp, exe -> /var/tmp/sysd, exe->/tmp
why is it ? and what to do?
If you don't recognize the processes that are using up your CPU resources, I would definitely suggest examining this Linode for signs of unauthorized access and scanning it for malware.
We have a guide here to using ClamAV, which includes instructions on how to boot your Linode into Rescue Mode prior to scanning. Booting into Rescue Mode is critical, as performing the scan under your normal boot configuration may miss malicious processes that are currently running, or they may simply respawn after being killed off (which appears to be the case here).
If your Linode has had network restrictions placed on it, our Support team can temporarily lift them in order to allow you to download and run ClamAV once you are booted into Rescue Mode. You can contact us by opening a Support ticket via the Linode Manager, or reaching out to us by phone.
You can use the following commands to begin examining your system logs for any signs of unauthorized access:
last lastlog cat /var/log/auth.log # Debian-based systems e.g. Ubuntu cat /var/log/secure # RHEL-based systems e.g. CentOS history
You might wish to use
grep to filter the logs above, e.g. to show only accepted logins via
cat /var/log/auth.log | grep sshd | grep Accepted
Finally, you might be interested in Cisofy's Lynis tool, which will perform a security audit on your system and provide recommendations on how to harden it. I've personally found this to be extremely useful:
We also have a guide here on how to secure your server, which should help prevent this from happening in the future. At minimum, I would recommend disabling password authentication and root login over SSH, setting up SSH key-pairs, and configuring fail2ban to mitigate brute-force login attempts.