Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Certbot unable to locate virtual host Question Question
Why my website down? SSH cannot be accessed Question Question

Question

My CPU is at 100% and I don't know how to resolve this.

Posted February 5, 2020 2.3k views
Ubuntu 18.04

Hi all, I have a droplet used for hosting multiple web site and recently my CPU has reached 100% constantly these past few days and I have not touched the server for a while.

Installed are nginx, php, mysql, cron and docker.

I have used the top command and found there’s a process using a command called mh

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5208 82 20 0 855300 884 56 S 99.3 0.1 6:43.80 mh

I have tried rebooting the server, restarting cron, restarting docker, killing the process but it keeps coming back.

Has anyone got any idea whats happening or how to prevent this?

Appreciated

Add a comment
warrenlee
By:
warrenlee

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Certbot unable to locate virtual host Question Question
Why my website down? SSH cannot be accessed Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
3 answers
Shiroka February 5, 2020

Hi,

I can’t learn much from your description,but there is a sample for you that once happened on me.Your server may be attacked,like DoS or CC.I think you’d better protect your server by using floating ip and try CloudFlare to avoid being that.And,change the password and the login port.Dont use 22 as the port.

Have a nice day.

Shiroka

Reply Report
  • warrenlee February 5, 2020

    Hi Shiroka, yes the bandwidth looks unusally higher than before.
    I will give Cloudflare a try and see if that helps.
    Thanks for your time, I will post back with the results!

    Reply Report
bobbyiliev February 5, 2020

Hello,

I think that the mh command is this MisterHouse Perl script here:

https://github.com/hollie/misterhouse

What I could suggest is running ps and checking out the full command:

sudo ps -aux | grep "mh"

That way you would be able to see the full command that is running rather than just the mh output.

Then you could go from there and decide if this is something that you need or not.

If you don’t need this service, you could remove it from your system.

Feel free to share the output of the ps command here.

Regards,
Bobby

Reply Report
  • warrenlee February 5, 2020

    Thanks for the insight Bobby!
    Please find the ps output here.
    The service isn’t something I need and I don’t really know what it’s used for or where it came from in fact.

    root       280  0.0  0.0   4512     0 ?        S    Feb04   0:00 bpfilter_umh
82        8123 17.3  0.0 855376   888 ?        Ssl  15:04   0:23 ./mh
warren    8239  0.0  0.0  16140   940 pts/0    S+   15:06   0:00 grep --color=auto mh
    Reply Report
    • bobbyiliev February 5, 2020

      Hi @warrenlee,

      It looks like that a user with ID 82 is running the script.

      I could suggest a couple of things:

      • Find who the user with ID/username 82 is and possibly disable that user and delete the script. You can check the user details in the /etc/passwd file:
      sudo cat /etc/passwd
      • If you are unable to find that user, run a find for the mh script:
      sudo find / -name mh 2>/dev/null

      If you are not running the script it might be a malicious script using your CPU resources, though this is just an assumption.

      Let me know how it goes!
      Regards,
      Bobby

      Reply Report
      • warrenlee February 5, 2020

        Thanks for helping me on this again @bobbyiliev !

        so using sudo find / -name mh 2>/dev/null

        Gave me

        /usr/src/linux-headers-5.0.0-050000-generic/include/config/ip/vs/mh

        Which now I understand where it came from. It was when I wanted to upgrade the Kernel which supported the filesystem overlayfs for docker (at the time I was using Ubuntu 14) and looked on the net to find out how to upgrade.
        I found a way but I think it didn’t work but little did I know DigitalOcean had a convenient way to upgrade the Kernel.

        With this kernel removed and the mh process stopped the CPU has gone back down to under 2%

        Hopefully it will stay like this over the next few hours.

        Thanks again for your time @bobbyiliev

        Reply Report
geoffrygithinji5378 October 5, 2021

For cpu at 100% most of the times is caused by ddos attacks. A good starting point would be to check your apache or nginx logs if using apache or nginx. The install fail2ban and start banning ip addresses which are generating weird get or post requests.

First clear all your current logs and then start watching the logs to see whats generating fast logs and you can initially ban then using ufw then later use the log to generate a fail2ban regex which should block such cases in the future.

Reply Report

Related

Looking for something else?

Ask a new question Search for more help