My CPU is at 100% and I don't know how to resolve this.

Question

Hi all, I have a droplet used for hosting multiple web site and recently my CPU has reached 100% constantly these past few days and I have not touched the server for a while.

Installed are nginx, php, mysql, cron and docker.

I have used the top command and found there’s a process using a command called mh

PID	USER	PR	NI	VIRT	RES	SHR	S	%CPU	%MEM	TIME+	COMMAND
5208	82	20	0	855300	884	56	S	99.3	0.1	6:43.80	mh

I have tried rebooting the server, restarting cron, restarting docker, killing the process but it keeps coming back.

Has anyone got any idea whats happening or how to prevent this?

Appreciated

Answer 1

Shiroka February 5, 2020

Hi,

I can’t learn much from your description,but there is a sample for you that once happened on me.Your server may be attacked,like DoS or CC.I think you’d better protect your server by using floating ip and try CloudFlare to avoid being that.And,change the password and the login port.Dont use 22 as the port.

Have a nice day.

Shiroka

Reply Report

warrenlee February 5, 2020

Hi Shiroka, yes the bandwidth looks unusally higher than before.
I will give Cloudflare a try and see if that helps.
Thanks for your time, I will post back with the results!
Reply Report

Answer 2

warrenlee February 5, 2020

Hi Shiroka, yes the bandwidth looks unusally higher than before.
I will give Cloudflare a try and see if that helps.
Thanks for your time, I will post back with the results!
Reply Report

Answer 3

bobbyiliev February 5, 2020

Hello,

I think that the mh command is this MisterHouse Perl script here:

https://github.com/hollie/misterhouse

What I could suggest is running ps and checking out the full command:

sudo ps -aux | grep "mh"

That way you would be able to see the full command that is running rather than just the mh output.

Then you could go from there and decide if this is something that you need or not.

If you don’t need this service, you could remove it from your system.

Feel free to share the output of the ps command here.

Regards,
Bobby

Reply Report

warrenlee February 5, 2020
Thanks for the insight Bobby!
Please find the ps output here.
The service isn’t something I need and I don’t really know what it’s used for or where it came from in fact.

root 280 0.0 0.0 4512 0 ? S Feb04 0:00 bpfilter_umh 82 8123 17.3 0.0 855376 888 ? Ssl 15:04 0:23 ./mh warren 8239 0.0 0.0 16140 940 pts/0 S+ 15:06 0:00 grep --color=auto mh
Reply Report
- bobbyiliev February 5, 2020
  
  Hi @warrenlee,
  
  It looks like that a user with ID 82 is running the script.
  
  I could suggest a couple of things:
  
  Find who the user with ID/username 82 is and possibly disable that user and delete the script. You can check the user details in the /etc/passwd file:
  
  sudo cat /etc/passwd
  
  If you are unable to find that user, run a find for the mh script:
  
  sudo find / -name mh 2>/dev/null
  
  If you are not running the script it might be a malicious script using your CPU resources, though this is just an assumption.
  
  Let me know how it goes!
  Regards,
  Bobby
  
  Reply Report
  
  warrenlee February 5, 2020
  
  Thanks for helping me on this again @bobbyiliev !
  
  so using sudo find / -name mh 2>/dev/null
  
  Gave me
  
  /usr/src/linux-headers-5.0.0-050000-generic/include/config/ip/vs/mh
  
  Which now I understand where it came from. It was when I wanted to upgrade the Kernel which supported the filesystem overlayfs for docker (at the time I was using Ubuntu 14) and looked on the net to find out how to upgrade.
  I found a way but I think it didn’t work but little did I know DigitalOcean had a convenient way to upgrade the Kernel.
  
  With this kernel removed and the mh process stopped the CPU has gone back down to under 2%
  
  Hopefully it will stay like this over the next few hours.
  
  Thanks again for your time @bobbyiliev
  
  Reply Report
  
  bobbyiliev February 5, 2020
  
  Hi @warrenlee,
  
  No problem at all! I’m happy to hear that you’ve got to the bottom of the problem and solved it!
  
  Thank you for sharing the solution with the community.
  
  Regards,
  Bobby
  
  Reply Report

Answer 4

warrenlee February 5, 2020
Thanks for the insight Bobby!
Please find the ps output here.
The service isn’t something I need and I don’t really know what it’s used for or where it came from in fact.

root 280 0.0 0.0 4512 0 ? S Feb04 0:00 bpfilter_umh 82 8123 17.3 0.0 855376 888 ? Ssl 15:04 0:23 ./mh warren 8239 0.0 0.0 16140 940 pts/0 S+ 15:06 0:00 grep --color=auto mh
Reply Report
- bobbyiliev February 5, 2020
  
  Hi @warrenlee,
  
  It looks like that a user with ID 82 is running the script.
  
  I could suggest a couple of things:
  
  Find who the user with ID/username 82 is and possibly disable that user and delete the script. You can check the user details in the /etc/passwd file:
  
  sudo cat /etc/passwd
  
  If you are unable to find that user, run a find for the mh script:
  
  sudo find / -name mh 2>/dev/null
  
  If you are not running the script it might be a malicious script using your CPU resources, though this is just an assumption.
  
  Let me know how it goes!
  Regards,
  Bobby
  
  Reply Report
  
  warrenlee February 5, 2020
  
  Thanks for helping me on this again @bobbyiliev !
  
  so using sudo find / -name mh 2>/dev/null
  
  Gave me
  
  /usr/src/linux-headers-5.0.0-050000-generic/include/config/ip/vs/mh
  
  Which now I understand where it came from. It was when I wanted to upgrade the Kernel which supported the filesystem overlayfs for docker (at the time I was using Ubuntu 14) and looked on the net to find out how to upgrade.
  I found a way but I think it didn’t work but little did I know DigitalOcean had a convenient way to upgrade the Kernel.
  
  With this kernel removed and the mh process stopped the CPU has gone back down to under 2%
  
  Hopefully it will stay like this over the next few hours.
  
  Thanks again for your time @bobbyiliev
  
  Reply Report
  
  bobbyiliev February 5, 2020
  
  Hi @warrenlee,
  
  No problem at all! I’m happy to hear that you’ve got to the bottom of the problem and solved it!
  
  Thank you for sharing the solution with the community.
  
  Regards,
  Bobby
  
  Reply Report

Related

Question

My CPU is at 100% and I don't know how to resolve this.

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

My CPU is at 100% and I don't know how to resolve this.

Related

Leave a comment

Related

question

Certbot unable to locate virtual host

question

Why my website down? SSH cannot be accessed

question

Can't connect to VPN server

question

How can i create a VM with ubuntu desktop in digital ocean?

Looking for something else?