My CPU is at 100% and I don't know how to resolve this.

Posted February 5, 2020 2.8k views
Ubuntu 18.04

Hi all, I have a droplet used for hosting multiple web site and recently my CPU has reached 100% constantly these past few days and I have not touched the server for a while.

Installed are nginx, php, mysql, cron and docker.

I have used the top command and found there’s a process using a command called mh

5208 82 20 0 855300 884 56 S 99.3 0.1 6:43.80 mh

I have tried rebooting the server, restarting cron, restarting docker, killing the process but it keeps coming back.

Has anyone got any idea whats happening or how to prevent this?


These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers


I can’t learn much from your description,but there is a sample for you that once happened on me.Your server may be attacked,like DoS or CC.I think you’d better protect your server by using floating ip and try CloudFlare to avoid being that.And,change the password and the login port.Dont use 22 as the port.

Have a nice day.


  • Hi Shiroka, yes the bandwidth looks unusally higher than before.
    I will give Cloudflare a try and see if that helps.
    Thanks for your time, I will post back with the results!


I think that the mh command is this MisterHouse Perl script here:

What I could suggest is running ps and checking out the full command:

sudo ps -aux | grep "mh"

That way you would be able to see the full command that is running rather than just the mh output.

Then you could go from there and decide if this is something that you need or not.

If you don’t need this service, you could remove it from your system.

Feel free to share the output of the ps command here.


  • Thanks for the insight Bobby!
    Please find the ps output here.
    The service isn’t something I need and I don’t really know what it’s used for or where it came from in fact.

    root       280  0.0  0.0   4512     0 ?        S    Feb04   0:00 bpfilter_umh
    82        8123 17.3  0.0 855376   888 ?        Ssl  15:04   0:23 ./mh
    warren    8239  0.0  0.0  16140   940 pts/0    S+   15:06   0:00 grep --color=auto mh
    • Hi @warrenlee,

      It looks like that a user with ID 82 is running the script.

      I could suggest a couple of things:

      • Find who the user with ID/username 82 is and possibly disable that user and delete the script. You can check the user details in the /etc/passwd file:
      sudo cat /etc/passwd
      • If you are unable to find that user, run a find for the mh script:
      sudo find / -name mh 2>/dev/null

      If you are not running the script it might be a malicious script using your CPU resources, though this is just an assumption.

      Let me know how it goes!

      • Thanks for helping me on this again @bobbyiliev !

        so using sudo find / -name mh 2>/dev/null

        Gave me


        Which now I understand where it came from. It was when I wanted to upgrade the Kernel which supported the filesystem overlayfs for docker (at the time I was using Ubuntu 14) and looked on the net to find out how to upgrade.
        I found a way but I think it didn’t work but little did I know DigitalOcean had a convenient way to upgrade the Kernel.

        With this kernel removed and the mh process stopped the CPU has gone back down to under 2%

        Hopefully it will stay like this over the next few hours.

        Thanks again for your time @bobbyiliev

For cpu at 100% most of the times is caused by ddos attacks. A good starting point would be to check your apache or nginx logs if using apache or nginx. The install fail2ban and start banning ip addresses which are generating weird get or post requests.

First clear all your current logs and then start watching the logs to see whats generating fast logs and you can initially ban then using ufw then later use the log to generate a fail2ban regex which should block such cases in the future.